mshpo - windows server update services...

Windows Server Update Services 3.0

Windows Server Update Services 3.0

Windows Server Update Services 3.0 Design Guide

Prepared by

Microsoft

Version 1.0.0.0 Baseline

First published

16 January 2008

Copyright

This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in EnglRights to this Content are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exertheir rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface Readers are referred to www.cui.nhs.uk for further information on the NHS CUI Programme.

All trademarks are the property of their respective companies. Microsoft and Windows are either registerCorporation in the United States and/or other countries.

© Microsoft Corporation and Crown Copyright 2008

Disclaimer

At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dytime, these links may become invalid. Microsoft is not responsible for the content of external Intern

The example companies, organisations, products, domain names, eassociation with any real company, organisation, product, domain name, e

Windows Server Update Services 3.0Version 1.0.0.0

This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in Englare jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exer

their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface for further information on the NHS CUI Programme.

All trademarks are the property of their respective companies. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Crown Copyright 2008

At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dytime, these links may become invalid. Microsoft is not responsible for the content of external Internet sites.

The example companies, organisations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organisation, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.

Windows Server Update Services 3.0 Design Guide 1.0.0.0 Baseline

Prepared by Microsoft

This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in England. Intellectual Property are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exercise

their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface programme to this Content.

ed trademarks or trademarks of Microsoft

At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dynamic nature of Web sites, in

mail addresses, logos, people, places, and events depicted herein are fictitious. No on, places, or events is intended or should be inferred.

Page ii


TABLE OF CONTENTS

1 Executive Summary ................................

2 Introduction ................................

2.1 Value Proposition ................................

2.2 Knowledge Prerequisites

2.2.1 Skills and Knowledge

2.2.2 Training and Assessment

2.3 Infrastructure Prerequisites

2.4 Audience ................................

2.5 Assumptions ................................

3 Using This Document ................................

3.1 Document Structure ................................

4 Plan ................................................................

4.1 Determine a Deployment Type and Management Style

4.1.1 Deployment Type ................................

4.1.2 Management Style ................................

4.1.3 Design ................................

4.2 Choose a Database ................................

4.2.1 WSUS 3.0 Database Software Options

4.3 Choose a Storage Location for Updates

4.3.1 Local Storage ................................

4.3.2 Remote Storage ................................

4.4 Determine Bandwidth Options

4.4.1 Deferring Update Downloads

4.4.2 Configurable Content Source

4.4.3 Filtering Updates ................................

4.4.4 Background Intelligent Transfer Service 2.0

4.4.5 Background Intelligent Transfer Service 3.0 Peer Caching

4.4.6 Express Installation Files

4.5 Determine Capacity Requirements

4.5.1 Native x64 Support ................................

4.5.2 Network Load Balancing Clusters

4.5.3 Microsoft SQL Server 2005 Cluster Support

5 Stabilise ................................

5.1 Areas for Testing ................................

5.1.1 Server Installation................................

5.1.2 Client Configuration Settings

5.1.3 Network and Wide Area Network Bandwidth Utilisation


ONTENTS

................................................................................................

................................................................................................................................

................................................................................................

Knowledge Prerequisites ................................................................................................

Skills and Knowledge ................................................................................................

Training and Assessment ................................................................................................

Infrastructure Prerequisites ................................................................................................

................................................................................................................................

................................................................................................

................................................................................................

................................................................................................

................................................................................................

Determine a Deployment Type and Management Style................................

................................................................................................

................................................................................................

...............................................................................................................................

................................................................................................

3.0 Database Software Options ................................................................

Choose a Storage Location for Updates ................................................................

................................................................................................

................................................................................................

e Bandwidth Options ................................................................................................

Deferring Update Downloads ................................................................

Configurable Content Source ................................................................

................................................................................................

Background Intelligent Transfer Service 2.0 ................................................................

Background Intelligent Transfer Service 3.0 Peer Caching ................................

Express Installation Files ................................................................................................

Determine Capacity Requirements ................................................................

................................................................................................

Network Load Balancing Clusters ................................................................

Microsoft SQL Server 2005 Cluster Support ................................................................

................................................................................................................................

................................................................................................

................................................................................................

Client Configuration Settings ................................................................

Network and Wide Area Network Bandwidth Utilisation ................................


Page iii

....................................................... 1

.................................... 2

...................................................... 2

.......................................... 2

.......................................... 2

.................................... 2

...................................... 3

................................... 3

............................................................. 3

.................................................... 4

.................................................. 4

................................................. 6

........................................................... 6

................................................ 7

.............................................. 8

............................... 10

................................................ 12

............................................ 12

................................................ 13

.................................................... 13

................................................ 13

................................ 14

............................................................ 14

............................................................ 15

............................................... 15

..................................... 16

.............................................. 16

.................................. 16

......................................................... 17

............................................ 17

..................................................... 18

..................................... 18

........................................ 19

.................................................... 19

.............................................. 19

............................................................. 19

................................................... 20


6 Deploy ................................

6.1 Installing the WSUS 3.0 Server

6.1.1 Co-Existence ................................

6.1.2 Installation Prerequisites

6.1.3 Installing Microsoft Internet Information Services 6.0

6.1.4 Migrating from WSUS 2.0 to WSUS 3.0

6.1.5 Licensing ................................

6.1.6 Installing WSUS 3.0

6.1.7 WSUS 3.0 Configuration Wizard

6.2 Installing the WSUS 3.0 Console


6.2.2 Installing the Console

6.2.3 Accessing the WSUS 3.0 Console

6.3 Installing the WSUS 3.0 Client


6.3.2 Updating Automatic Updates

APPENDIX A Skills and Training Resources

PART I WSUS 3.0 ................................

PART II Supplemental Training Resources

APPENDIX B Remote SQL ................................

PART I Install SQL Server 2005 SP1 or Later on the Back

PART II Check Administrative Permissions on the SQL Server

PART III Install WSUS 3.0 on the Front

APPENDIX C Configure WSUS 3.0 for Network Load Balancing

PART I Configure Remote SQL

PART II Set Up the Other Front

PART III Configure the Front

PART IV Set Up a Distributed File System Share

PART V Configure IIS on the Front

PART VI Move the Local Content Directory on the First FrontShare ................................

PART VII Configure the NLB

PART VIII Test the WSUS 3.0 NLB Configuration

PART IX Configure WSUS 3.0 Clients to Sync from the DFS Share

APPENDIX D Document Information

PART I Terms and Abbreviations

PART II References ................................


................................................................................................................................

Installing the WSUS 3.0 Server ..............................................................................................

................................................................................................

Installation Prerequisites ................................................................................................

Installing Microsoft Internet Information Services 6.0 ................................

Migrating from WSUS 2.0 to WSUS 3.0 ................................................................

................................................................................................

Installing WSUS 3.0 ................................................................................................

WSUS 3.0 Configuration Wizard ................................................................

Installing the WSUS 3.0 Console ................................................................


Installing the Console ................................................................................................

Accessing the WSUS 3.0 Console ................................................................

Installing the WSUS 3.0 Client ...............................................................................................


Updating Automatic Updates ................................................................

Skills and Training Resources ................................................................

................................................................................................

ntal Training Resources ................................................................

................................................................................................

Install SQL Server 2005 SP1 or Later on the Back-End Server ................................

Check Administrative Permissions on the SQL Server ................................

Install WSUS 3.0 on the Front-End Server ................................................................

Configure WSUS 3.0 for Network Load Balancing ................................

Configure Remote SQL ................................................................................................

Set Up the Other Front-End WSUS 3.0 Servers ................................

Configure the Front-End WSUS 3.0 Servers ................................................................

Set Up a Distributed File System Share ................................................................

Configure IIS on the Front-End WSUS 3.0 Servers ................................

Move the Local Content Directory on the First Front-End WSUS 3.0 Server to the DFS ................................................................................................

Configure the NLB ................................................................................................

Test the WSUS 3.0 NLB Configuration ................................................................

Configure WSUS 3.0 Clients to Sync from the DFS Share ................................

Document Information ..............................................................................................

Terms and Abbreviations ..............................................................................................

................................................................................................


Page iv

........................................... 21

.............................. 21

..................................................... 21

................................... 22

....................................................... 24

........................................... 25

........................................................... 25

.......................................... 26

....................................................... 31

........................................................... 43

................................... 43

........................................ 43

.................................................... 46

............................... 47

................................... 47

............................................................ 47

................................................. 48

...................................................... 48

................................................ 48

............................................... 49

................................... 49

................................................. 50

................................... 50

................................................ 51

................................. 51

........................................................... 51

................................ 52

....................................... 52

...................................................... 53

End WSUS 3.0 Server to the DFS ............................................................. 53

......................................... 54

......................................... 54

.......................................... 54

.............................. 55

.............................. 55

.................................................... 56


1 EXECUTIVE SUMMARY

In April 2007, Microsoft publicly released WSUS 3.0 which provides a number of new features, making WSUS easier to use, deploy, and support. Specifically, WSUS 3.0 provides improvements in the following areas:

� Ease of use

� Improved deployment options

� Better support for complex server hierarchies

� Better performance and bandwidth optimisation

The scope of this document is to provide updated guidance on the designWSUS 3.0 within a healthcare organisationcompanion document, the Windows Server Update Services 3.0 Operations Guideguidance on the configuration, operation and management of WSUS 3.0

The aim of this document is to assist required for a WSUS 3.0 solution. Thisavailable in WSUS 3.0 and the relevance of these covers considerations for WSUS 3.0 as a component of Forefront Client Security.guide for the WSUS 3.0 server, cons2.0 to WSUS 3.0 is also covered.

1 Windows Server Update Services 3.0 Operations Guidehttp://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx


UMMARY

In April 2007, Microsoft publicly released WSUS 3.0 which provides a number of new features, making WSUS easier to use, deploy, and support. Specifically, WSUS 3.0 provides improvements

Improved deployment options

Better support for complex server hierarchies

Better performance and bandwidth optimisation

is to provide updated guidance on the design and healthcare organisation. This document should be used together with its

Windows Server Update Services 3.0 Operations Guideguidance on the configuration, operation and management of WSUS 3.0.

aim of this document is to assist healthcare IT professionals with each of the solution. This includes the scalability and high-availability improvements

available in WSUS 3.0 and the relevance of these features for healthcare organisationscovers considerations for WSUS 3.0 as a component of Forefront Client Security.guide for the WSUS 3.0 server, console and client is included. Guidance on migrating from WSUS 2.0 to WSUS 3.0 is also covered.

Windows Server Update Services 3.0 Operations Guide {R1}: http://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx


Page 1

In April 2007, Microsoft publicly released WSUS 3.0 which provides a number of new features, making WSUS easier to use, deploy, and support. Specifically, WSUS 3.0 provides improvements

deployment of This document should be used together with its

Windows Server Update Services 3.0 Operations Guide1, which provides

IT professionals with each of the design decisions availability improvements

healthcare organisations. It also covers considerations for WSUS 3.0 as a component of Forefront Client Security. An installation

ole and client is included. Guidance on migrating from WSUS

http://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx


2 INTRODUCTION

The purpose of this document is to provide guidance around the implementation of WSUS 3.0 for software update management on desktop procedures necessary to successfully create the implementation design for a WSUS 3.0 server hierarchy, as well as the installation procedures for installing the WSUS 3.0 servers and clients.

The companion document to thGuide {R1}, provides the information and procedures necessary to configure, operate and manage the WSUS 3.0 servers and clients and manage software updates.

2.1 Value PropositionThis guide will take the healthcaredesign, prepare and deploy a WSUS 3.0 environment. This guidance is designed to help:

� Identify potential design and deployment risks

� Provide rapid knowledge transfer to reduce the learning curve of software update management solution

� Establish some preliminary design decisions before moving ahead with the implementation

� Provide a consolidation of relevant WSUS 3.0 common best

2.2 Knowledge PrerequisitesTo implement the recommendations made throughout this document effectively, a number of knowledge-based and environmental infrastructure prerequisites should be in place. outlines the knowledge and skills required to use the Guide, while section 2.3 details the necessary infrastructure prerequisites.

Section 2.2.1 details the prerequisite skills and knowledge, and section and suggested training resources or skill

2.2.1 Skills and Knowledge

The technical knowledge and minimum skills required to use th

� Windows Server® 2003 administration

� Windows® 2000 Professional, Windows

� Creation and administration of Organisational Units (OU) and Group Policy Objects (GPO) when using Microsoft®

� Modification of the Windows registry when using registry keys to configure WSUS client settings

� Microsoft® SQL Serverserver database

2.2.2 Training and Assessment

Guidelines on the basic skill-sets that are required in order to make best use of this detailed in APPENDIX A. The resources available. However, all courses certified training partners.


NTRODUCTION

The purpose of this document is to provide guidance around the implementation of WSUS 3.0 for software update management on desktop computers. This document provides the information and procedures necessary to successfully create the implementation design for a WSUS 3.0 server

installation procedures for installing the WSUS 3.0 servers and clients.

The companion document to this guide, the Windows Server Update Services 3.0 Operations provides the information and procedures necessary to configure, operate and manage

the WSUS 3.0 servers and clients and manage software updates.

Value Proposition healthcare IT professional through the necessary steps to successfu

design, prepare and deploy a WSUS 3.0 solution within the healthcare organisation’senvironment. This guidance is designed to help:

Identify potential design and deployment risks

Provide rapid knowledge transfer to reduce the learning curve of designing a WSUS 3.0 software update management solution

Establish some preliminary design decisions before moving ahead with the implementation

Provide a consolidation of relevant WSUS 3.0 common best-practice guidance

Knowledge Prerequisites the recommendations made throughout this document effectively, a number of

based and environmental infrastructure prerequisites should be in place. outlines the knowledge and skills required to use the Windows Server Update Services

details the necessary infrastructure prerequisites.

details the prerequisite skills and knowledge, and section 2.2.2 details the information and suggested training resources or skills assessment.

Skills and Knowledge

The technical knowledge and minimum skills required to use this guidance are:

2003 administration

2000 Professional, Windows® XP Professional or Windows Vista

Creation and administration of Organisational Units (OU) and Group Policy Objects (GPO) ® Active Directory® to configure WSUS client settings

Modification of the Windows registry when using registry keys to configure WSUS client

SQL Server® 2005 administration when using this product for the WSUS

Training and Assessment

sets that are required in order to make best use of this list in APPENDIX A represents the training courses and other

resources available. However, all courses listed are optional and can be provided by a variety of


Page 2

The purpose of this document is to provide guidance around the implementation of WSUS 3.0 for cument provides the information and

procedures necessary to successfully create the implementation design for a WSUS 3.0 server installation procedures for installing the WSUS 3.0 servers and clients.

Windows Server Update Services 3.0 Operations provides the information and procedures necessary to configure, operate and manage

IT professional through the necessary steps to successfully healthcare organisation’s network

designing a WSUS 3.0

Establish some preliminary design decisions before moving ahead with the implementation

practice guidance

the recommendations made throughout this document effectively, a number of based and environmental infrastructure prerequisites should be in place. This section

Windows Server Update Services 3.0 Design

details the information

are:

Windows Vista® administration

Creation and administration of Organisational Units (OU) and Group Policy Objects (GPO) SUS client settings

Modification of the Windows registry when using registry keys to configure WSUS client

2005 administration when using this product for the WSUS 3.0

sets that are required in order to make best use of this guidance are the training courses and other

are optional and can be provided by a variety of


2.3 Infrastructure PrerequisiThe following are prerequisites for implementing

� Windows Server 2003

� Windows 2000 Professional SP4, Windows XP SP2, or Windows Vista clients

� Windows XP SP2, Windows Vista or Windows Server 2003 SP1 or later, to host a remote WSUS 3.0 console

� A sufficient number of clients that need to be managed desktop computer configuration deployed in the live environment)

� An Internet connection allowing access to Microsoft Update for server synchronisation and with sufficient bandwidth for the download of software updates

� Adequate bandwidth between the WSUS 3.0 server and clients for the download of software updates

Recommendation

Microsoft recommends that the latest service pack be applied to all deployed

2.4 Audience The guidance contained in this document is targeted at a variety of roles within the organisation. Table 1 provides a reading guide for this document, illustrating the roles and the sections of the document that are likely to be of most interest. The structure of the sections referred to is described in section 3.1.

Role Document Usage

IT Manager Review of the entire document to understand the justification and drivers, and to develop an understanding of the implementation requirements

IT Architect Review the relevant areas within the document against local architecture strategy and implementation plans

IT Professional/ Administrator

Detailed review and implementation of the guidance to meet local requirements

Table 1: Document Audience

2.5 Assumptions The guidance provided in this document assumes that services and resources between sites already have suitable schemes in place. This is to enable successful siteAddressing schemes assigned to each participatingDirectory and the underlying Domain Name System (DNS), require the use of unique IP Addressing schemes at adjoining sites in order for crossof Network Address Translationrecommended nor supported by Microsoft.


Infrastructure Prerequisites The following are prerequisites for implementing WSUS 3.0 in a healthcare organisation

Windows Server 2003 Service Pack (SP)1 or later to host the WSUS 3.0 server

Windows 2000 Professional SP4, Windows XP SP2, or Windows Vista clients

Windows Vista or Windows Server 2003 SP1 or later, to host a remote

A sufficient number of clients that need to be managed (ideally 2 or more examples of each configuration deployed in the live environment)

nection allowing access to Microsoft Update for server synchronisation and with sufficient bandwidth for the download of software updates

Adequate bandwidth between the WSUS 3.0 server and clients for the download of

ft recommends that the latest service pack be applied to all deployed products

The guidance contained in this document is targeted at a variety of roles within the provides a reading guide for this document, illustrating the roles and the

sections of the document that are likely to be of most interest. The structure of the sections referred

Document Usage Executive

Summary

Review of the entire document to understand the justification and drivers, and to develop an understanding of the implementation requirements

�

Review the relevant areas within the document against local architecture strategy and implementation plans

�

review and implementation of the guidance to meet local requirements

�

The guidance provided in this document assumes that healthcare organisationsservices and resources between sites already have suitable Internet Protocol (IP

enable successful site-to-site communication, that is, unique IP Addressing schemes assigned to each participating healthcare organisation with no overlap.

and the underlying Domain Name System (DNS), require the use of unique IP Addressing schemes at adjoining sites in order for cross-site communication to function successfully. The use

dress Translation (NAT) within an Active Directory environment is neither recommended nor supported by Microsoft.


Page 3

a healthcare organisation:

1 or later to host the WSUS 3.0 server

Windows 2000 Professional SP4, Windows XP SP2, or Windows Vista clients

Windows Vista or Windows Server 2003 SP1 or later, to host a remote

(ideally 2 or more examples of each

nection allowing access to Microsoft Update for server synchronisation and

Adequate bandwidth between the WSUS 3.0 server and clients for the download of

products.

The guidance contained in this document is targeted at a variety of roles within the healthcare IT provides a reading guide for this document, illustrating the roles and the

sections of the document that are likely to be of most interest. The structure of the sections referred

Summary

Plan

Stabilise

Deploy

� � �

�

� � �

healthcare organisations that want to share IP) Addressing

that is, unique IP with no overlap. Active

and the underlying Domain Name System (DNS), require the use of unique IP Addressing site communication to function successfully. The use

environment is neither


3 USING THIS D

This document is intended for use by use WSUS 3.0 to manage software updates on desktop to assist with the planning and implementation of Server Update Services 3.0 Operations Guidemost common tasks involved with its use.

3.1 Document StructureAs illustrated in Figure 1, this document contains

� Plan

� Stabilise

� Deploy

The Microsoft Solutions Framework (MSF) Process Model typically contains three extra stages,‘Envision’ comes before ‘Plan’‘Deploy’. However, these stages are not relevant to this document and so have not been included.

Each section is based on the Microsoft IT Project Lifecycle as deand the Microsoft Operations Framework (MOF). The IT Project Lifecycle is described in more detail in the MSF Process Model White PaperProcess Model and MOF describe a highmanaging IT solutions. Rather than prescribing a specific series of procedures, they are flexible enough to accommodate a broad range of IT projects.

The key public documentation resources for developing a Wsolution are:

� Deploying Microsoft Windows Server Update Services

� Microsoft Windows Server Update Services

Where appropriate, throughout this document, specific chapters or sections from these have been referenced along with relevant public white papers or other documents. All documents, sections and white papers will be referenced using footnotes or references.

2 MSF Process Model White Paper {R2http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b

3 MOF Executive Overview {R3}: http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx

4 Deploying Microsoft Windows Server Update Services 3.0

5 Microsoft Windows Server Update Services 3.0 Operations Guide


DOCUMENT

This document is intended for use by healthcare organisations and IT administrators who wish to manage software updates on desktop computers. The document should be used

to assist with the planning and implementation of WSUS 3.0. Its companion guide, the Server Update Services 3.0 Operations Guide {R1} should be used as a reference guide for the most common tasks involved with its use.

Document Structure his document contains three sections that deal with the project lifecycle:

The Microsoft Solutions Framework (MSF) Process Model typically contains three extra stages,’, ‘Develop’ comes before ‘Stabilise’ and ‘Operate’ comes after

. However, these stages are not relevant to this document and so have not been included.

Each section is based on the Microsoft IT Project Lifecycle as defined in the MSFand the Microsoft Operations Framework (MOF). The IT Project Lifecycle is described in more

MSF Process Model White Paper2 and the MOF Executive OverviewProcess Model and MOF describe a high-level sequence of activities for building, deploying and managing IT solutions. Rather than prescribing a specific series of procedures, they are flexible enough to accommodate a broad range of IT projects.

The key public documentation resources for developing a Windows Server Update Services

Deploying Microsoft Windows Server Update Services 3.04

Microsoft Windows Server Update Services 3.0 Operations Guide5

Where appropriate, throughout this document, specific chapters or sections from these have been referenced along with relevant public white papers or other documents. All documents, sections and white papers will be referenced using footnotes or references.

R2}: m/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en

http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx

Deploying Microsoft Windows Server Update Services 3.0 {R4}: http://go.microsoft.com/fwlink/?LinkId=86416

Microsoft Windows Server Update Services 3.0 Operations Guide {R5}: http://go.microsoft.com/fwlink/?LinkId=86697


Page 4

and IT administrators who wish to . The document should be used

ts companion guide, the Windows as a reference guide for the

sections that deal with the project lifecycle:

The Microsoft Solutions Framework (MSF) Process Model typically contains three extra stages, and ‘Operate’ comes after

. However, these stages are not relevant to this document and so have not been included.

fined in the MSF Process Model, and the Microsoft Operations Framework (MOF). The IT Project Lifecycle is described in more

MOF Executive Overview3. The MSF quence of activities for building, deploying and

managing IT solutions. Rather than prescribing a specific series of procedures, they are flexible

indows Server Update Services

Where appropriate, throughout this document, specific chapters or sections from these documents have been referenced along with relevant public white papers or other documents. All documents,

fc886956790e&DisplayLang=en


http://go.microsoft.com/fwlink/?LinkId=86416


http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en





Figure 1: MSF Process Model Phases and Document


: MSF Process Model Phases and Document Structure


Page 5


4 PLAN

The Plan phase is where the bulk of the implementation planning is completed. During this phase the areas for further analysis are identified and a design process commences.

Figure 2 acts as a high-level checklist, illustrating the sequence of events which the IT Architect needs to determine when planning for

Figure 2: Sequence for Planning WSUS 3.0

4.1 Determine a Deployment TypeIn this section, information about the available WSUS 3.0 server deployment and management options, and guidance on how best to design the deployment and management of WSUS 3.0 in healthcare organisations with multiple sites

When designing the WSUS 3.0 implementation‘Deployment Type’ and ‘Management Styleeither a single WSUS 3.0 server or a hierarchy with multiple WSUS 3.0 servers, which are linked together. Management Style refers to the a3.0 servers in either a centralised mannerlocally on each WSUS 3.0 server. This section provides further information about Type and Management Style.


The Plan phase is where the bulk of the implementation planning is completed. During this phase the areas for further analysis are identified and a design process commences.

level checklist, illustrating the sequence of events which the IT Architect to determine when planning for WSUS 3.0 within a healthcare organisation

a Deployment Type and Management StyleIn this section, information about the available WSUS 3.0 server deployment and management options, and guidance on how best to design the deployment and management of WSUS 3.0 in

with multiple sites, is provided.

When designing the WSUS 3.0 implementation, it is important to understand the concepts of Management Style’. Deployment Type refers to the implementation

either a single WSUS 3.0 server or a hierarchy with multiple WSUS 3.0 servers, which are linked together. Management Style refers to the administration of update distribution for multiple WSUS

ised manner or distributed manner, where administration is performed server. This section provides further information about


Page 6

The Plan phase is where the bulk of the implementation planning is completed. During this phase

level checklist, illustrating the sequence of events which the IT Architect a healthcare organisation.

and Management Style In this section, information about the available WSUS 3.0 server deployment and management options, and guidance on how best to design the deployment and management of WSUS 3.0 in

it is important to understand the concepts of implementation of

either a single WSUS 3.0 server or a hierarchy with multiple WSUS 3.0 servers, which are linked for multiple WSUS

where administration is performed server. This section provides further information about both Deployment


4.1.1 Deployment Type

There are two available deployment types for a WSUS 3.0 implementationserver hierarchy.

4.1.1.1 Single Server

With the most basic deployment type, a single WSUS 3.0 server is setorganisation to provide software updates to internal client computers. This server is configured to synchronise with Microsoft Update.

Figure 3 shows a simple single server deployment.

Figure 3: Single Server Deployment

4.1.1.2 Server Hierarchy

For more complex deployment typesWSUS 3.0 servers are linked together, an 3.0 server are created, as shown in

Figure 4: Server Hierarchy Deployment Type

When WSUS 3.0 servers are linkedthe ‘upstream’ WSUS 3.0 server type is useful for healthcare organisationsconnection and which each have aWSUS 3.0 server can download updates from Microsoft Updatecan be configured as ‘downstream3.0 server without impacting the shared

Recommendation The maximum depth of a WSUS 3.0 server an additional delay to updates being


Deployment Type

There are two available deployment types for a WSUS 3.0 implementation; single

With the most basic deployment type, a single WSUS 3.0 server is set up within the to provide software updates to internal client computers. This server is configured to

icrosoft Update.

shows a simple single server deployment.

Server Hierarchy

more complex deployment types, a hierarchy of WSUS 3.0 servers can be created. When together, an ‘upstream’ WSUS 3.0 server and a ‘downstream

, as shown in Figure 4 below.

servers are linked, the ‘downstream’ WSUS 3.0 server can be synchronised server instead of with Microsoft Update. The server hierarchy

healthcare organisations that have multiple sites that share a single each have a local WSUS 3.0 server. In this scenario, a single download updates from Microsoft Update. All the other WSUS downstream’ servers so as to download updates from the

server without impacting the shared Internet connection.

WSUS 3.0 server hierarchy is three levels. This is because each level creates to updates being synchronised to ‘downstream’ WSUS 3.0 servers


Page 7

single server and

up within the healthcare to provide software updates to internal client computers. This server is configured to

servers can be created. When downstream’ WSUS

can be synchronised with server hierarchy deployment

that share a single Internet . In this scenario, a single ‘upstream’

ll the other WSUS 3.0 servers so as to download updates from the ‘upstream’ WSUS

hierarchy is three levels. This is because each level creates WSUS 3.0 servers.


4.1.2 Management Style

The two management styles available to WSUS 3.0management styles are associated with the nature of the link between two WSUS 3.0 servers; replica or autonomous mode. The centralised management style gives an administrator the ability to manage update approval and computer groups from a single is then replicated to ‘downstreamdistributed management style, full control over WSUS WSUS 3.0 server (configured in autonomous mode).

There is no requirement to use a single management style throughout is possible to have a centraliseddistributed WSUS 3.0 deployments for other computers.capability to be toggled between replica and autonomous modes manuallyconsole. This allows easy modification ofrequirements change.

4.1.2.1 Centralised

This management style provides the abilityapproval status and computer groups with its ‘downstream’ WSUS 3.0 servers are servers offer a simple way to extend the reach of increase in administrative overhead. Administrators deploy replica WSUS 3.0 servers to reduce bandwidth consumption, while still maintaining full control over the update experience. This is especially useful in remote locations with many computers, but no IT staff.

‘Downstream’ replica WSUS 3.0 content from an ‘upstream’ WSUS 3.0themselves are replicated, not the computer group membership. Computer group memberalways specific to each WSUS 3.0 server. status to a local replica WSUS 3.0 (WAN).

To facilitate organisation-wide status reporting, information about their local computers to anormal synchronisation process.

Aside from the initial setup and servers require very little ongoing management.groups either manually via the computers into groups manually is known as serverclient-side targeting. For more information on client-side targeting, see the Windows Server Update Service


Management Style

The two management styles available to WSUS 3.0 servers are centralised and distributed.management styles are associated with the nature of the link between two WSUS 3.0 servers; replica or autonomous mode. The centralised management style gives an administrator the ability

al and computer groups from a single ‘upstream’ WSUS 3.0 server which downstream’ WSUS 3.0 servers (configured in replica mode). With the

distributed management style, full control over WSUS 3.0 administration is available locally onWSUS 3.0 server (configured in autonomous mode).

There is no requirement to use a single management style throughout a healthcare organisationised WSUS 3.0 deployment for some computers, and

deployments for other computers. Additionally, WSUS 3.0 servers have the between replica and autonomous modes manually, via the WSUS 3.0

modification of the management style should business or netw

This management style provides the ability for an ‘upstream’ WSUS 3.0 server to share updates, approval status and computer groups with its ‘downstream’ WSUS 3.0 server or servers. The

WSUS 3.0 servers are configured in replica mode. In replica mode, WSUS 3.0 offer a simple way to extend the reach of a WSUS 3.0 deployment without a corresponding

increase in administrative overhead. Administrators responsible for multiple physical locations can servers to reduce bandwidth consumption, while still maintaining full

control over the update experience. This is especially useful in remote locations with many

WSUS 3.0 servers receive update approvals, computer groups, and update WSUS 3.0 server on a scheduled basis. Only the computer groups

themselves are replicated, not the computer group membership. Computer group memberalways specific to each WSUS 3.0 server. Computers can then download updates and report their

WSUS 3.0 server, instead of communicating across the wide

wide status reporting, replica WSUS 3.0 servers upload detailed information about their local computers to an ‘upstream’ WSUS 3.0 server. This occurs

ation process.

initial setup and populating the membership of computer groupsservers require very little ongoing management. Client computers can be added to computer groups either manually via the WSUS 3.0 console, or automatically via Group Policy.computers into groups manually is known as server-side targeting; using Group Policy is known as

side targeting. For more information on computer groups, server-side targetingWindows Server Update Services 3.0 Operations Guide


Page 8

servers are centralised and distributed. The management styles are associated with the nature of the link between two WSUS 3.0 servers; replica or autonomous mode. The centralised management style gives an administrator the ability

WSUS 3.0 server which servers (configured in replica mode). With the

administration is available locally on each

a healthcare organisation. It and one or more

Additionally, WSUS 3.0 servers have the via the WSUS 3.0

should business or network

WSUS 3.0 server to share updates, WSUS 3.0 server or servers. The

In replica mode, WSUS 3.0 deployment without a corresponding

multiple physical locations can servers to reduce bandwidth consumption, while still maintaining full

control over the update experience. This is especially useful in remote locations with many

servers receive update approvals, computer groups, and update Only the computer groups

themselves are replicated, not the computer group membership. Computer group membership is Computers can then download updates and report their instead of communicating across the wide area network

servers upload detailed . This occurs during the

populating the membership of computer groups, replica WSUS 3.0 Client computers can be added to computer

onsole, or automatically via Group Policy. Moving using Group Policy is known as

targeting and Operations Guide {R1}.


Figure 5 depicts an environment with three sites that uses a centralised management administration is performed at the

Figure 5: Centralised Management Style

4.1.2.2 Distributed

The distributed management style provides administrators with full control over approvals and computer groups, locally at each WSUS 3.0 server.content from an ‘upstream’ WSUS 3.0WSUS 3.0 servers perform all other management and maintenance tasks locally. This includes approving updates, creating computer groups, and running status reports.

Autonomous WSUS 3.0 servers are also useful for test environments that are disconnected from the production network or the Internet. Update content and metadata from a production WSUS server, is easily exported to removable media, and then imported ondisconnected environment.

Note

Autonomous WSUS 3.0 servers only upload status summaries to their detailed reporting rollup is required

Exporting and importing update content and metadata is also appropriate for have high-cost or low-bandwidth links to the Internet. Even with all the bandwidthdescribed in section 4.4, downloading updates for all Microsoft products can be bandwidthImporting and exporting updates enables organithem using inexpensive medianumber of updates for a new WSUS 3.0 server


depicts an environment with three sites that uses a centralised management rmed at the ‘upstream’ site.

The distributed management style provides administrators with full control over approvals and locally at each WSUS 3.0 server. Aside from the capability to synchronis

WSUS 3.0 server (similar to replica server behaviouservers perform all other management and maintenance tasks locally. This includes

computer groups, and running status reports.

servers are also useful for test environments that are disconnected from the production network or the Internet. Update content and metadata from a production WSUS

removable media, and then imported on to the WSUS 3.0 server in a

servers only upload status summaries to their ‘upstream’ WSUS 3.0is required, use replica WSUS 3.0 servers instead.

Exporting and importing update content and metadata is also appropriate for healthcare organisationsbandwidth links to the Internet. Even with all the bandwidth-saving options , downloading updates for all Microsoft products can be bandwidth

Importing and exporting updates enables organisations to download updates once, using inexpensive media. This is often the most suitable option for initially synchronising a large

a new WSUS 3.0 server.


Page 9

depicts an environment with three sites that uses a centralised management style. The

The distributed management style provides administrators with full control over approvals and ability to synchronise update

ur), autonomous servers perform all other management and maintenance tasks locally. This includes

servers are also useful for test environments that are disconnected from the production network or the Internet. Update content and metadata from a production WSUS 3.0

the WSUS 3.0 server in a

WSUS 3.0 server. If

healthcare organisations that saving options

, downloading updates for all Microsoft products can be bandwidth-intensive. and then distribute

. This is often the most suitable option for initially synchronising a large


Figure 6 depicts an environment with three sites that uses the distributed management style where administration is performed locally at each site.

Figure 6: Distributed Management Style

4.1.3 Design

The following information is requiredmanagement style for a WSUS 3.0 server infrastructure.

� The number of sites (that contain clients that are to be managed

� The number of clients per site (these shoul3.0 and that fit the prerequisites for WSUS

� The link speed between sites and available bandwidth

� Knowledge of the healthcareand have knowledge of the organisational administrative model)

Once this information has been obtained, type and management style design.

Note

The proceeding sections of the Plan phase should then be design.

1. Determine all the sites within the become WSUS 3.0 clients.

2. If there is more than one site to be managed, created. A server hierarchy is a requirement for a centralised management style, butalso be beneficial with a distributed management style if it offers the most bandwidth-efficient method of synchronising content


depicts an environment with three sites that uses the distributed management style where administration is performed locally at each site.

is required when making design decisions about deployment type and for a WSUS 3.0 server infrastructure.

umber of sites (that contain clients that are to be managed locally

umber of clients per site (these should be clients that are to be managed using WSUS and that fit the prerequisites for WSUS 3.0 clients)

ink speed between sites and available bandwidth

healthcare administrative structure (where IT administrators are present knowledge of the organisational administrative model)

Once this information has been obtained, work through the steps below to create a deployment type and management style design.

The proceeding sections of the Plan phase should then be given consideration before finalising the

etermine all the sites within the healthcare organisation that have computers which will become WSUS 3.0 clients.

If there is more than one site to be managed, determine whether a server hierarchy will be server hierarchy is a requirement for a centralised management style, but

with a distributed management style if it offers the most ethod of synchronising content to the autonomous WSUS 3.0 servers.


Page 10

depicts an environment with three sites that uses the distributed management style where

deployment type and

locally, using WSUS 3.0)

d be clients that are to be managed using WSUS

administrative structure (where IT administrators are present

to create a deployment

before finalising the

that have computers which will

whether a server hierarchy will be server hierarchy is a requirement for a centralised management style, but it may

with a distributed management style if it offers the most to the autonomous WSUS 3.0 servers.


3. Where a server hierarchy is to be createdWSUS 3.0 server or servers. The be at the centre of a healthcare organisation’san ‘upstream’ WSUS 3.0 serverclients does not exceed the recommended maximum of Once the site or sites for below can be followed for the remaining sites.

4. For each of the remaining This will be determined by the number of clients on the site, the available bandwidth to Microsoft Update or another siterequirement for local control of update approvals. If a separate server is required, go to step 5. If a separate server is not required, go to step

5. For sites that will host a lowhich management style will be used. If style to allow local control of update approvals, go to step centralised management style to allow global control of update approvals from an ‘upstream’ WSUS 3.0 server

6. For WSUS 3.0 servers deployed in thedownload source for the updatserver, if there is a good WAN connection to the site that hosts the server. Alternatively, the download source will be local Internet connection.

7. For WSUS 3.0 servers deployed in the centralised management style, replica mode will need to be enabled and an 3.0 server will be the download source for download source for the actual update files will either be the same server, if there is a good WAN connection to the site that hosts the server or Microsoft Update if the site has a fast local Internet connection.information on the configuring content source, refer to section

8. For sites with no local WSUS 3.0 server, clients to for updates. Within most server configured to use rlocal WSUS 3.0 server.storage option.

Recommendation

In the event of the failure of one WSUS 3.0 serverpossible to redirect clients to anotherWSUS 3.0 server be restored redirection. This reduces the administration overhead of removing WSUS 3.0 clients from the database of the alternate WSUS 3.0 server


hierarchy is to be created, decide which site or sites will host the WSUS 3.0 server or servers. The site hosting an ‘upstream’ WSUS 3.0 server

healthcare organisation’s network topology. For each siteWSUS 3.0 server, a single server will be deployed (assuming the number of

clients does not exceed the recommended maximum of 20,000 per WSUS or sites for ‘upstream’ WSUS 3.0 servers have been determi

be followed for the remaining sites.

of the remaining sites, decide whether a local WSUS 3.0 server will be required. This will be determined by the number of clients on the site, the available bandwidth to

another site that has a WSUS 3.0 server, and whether or not there is a requirement for local control of update approvals. If a separate server is required, go to step . If a separate server is not required, go to step 8.

that will host a local WSUS 3.0 server, deploy the WSUS 3.0 server and decide which management style will be used. If the requirement is for a distributed management

local control of update approvals, go to step 6. If the requirement is for a ement style to allow global control of update approvals from an

WSUS 3.0 server, go to step 7.

For WSUS 3.0 servers deployed in the distributed management style, ddownload source for the update files. The download source will be an ‘upstreamserver, if there is a good WAN connection to the site that hosts the ‘upstream

. Alternatively, the download source will be Microsoft Update if the site has a fastconnection.

For WSUS 3.0 servers deployed in the centralised management style, replica mode will need to be enabled and an ‘upstream’ WSUS 3.0 server determined. The 3.0 server will be the download source for update approvals and computer groups. The ownload source for the actual update files will either be the same ‘upstreamserver, if there is a good WAN connection to the site that hosts the ‘upstreamserver or Microsoft Update if the site has a fast local Internet connection.information on the configuring content source, refer to section 4.4.2.

For sites with no local WSUS 3.0 server, determine which WSUS 3.0 servWithin most healthcare organisations, a centrally located WSUS 3.0

server configured to use remote storage will be the most suitable solutionWSUS 3.0 server. Refer to section 4.3.2 for more information about the remote

In the event of the failure of one WSUS 3.0 server, in an environment with multiple WSUS 3.0 serverclients to another WSUS 3.0 server. It is recommended, however,

be restored from backup, rather than modifying the client settingsthe administration overhead of removing WSUS 3.0 clients from the database of

the alternate WSUS 3.0 server, after they have been moved back to their original WSUS 3.0 server.


Page 11

decide which site or sites will host the ‘upstream’ WSUS 3.0 server will usually

For each site that will host assuming the number of

,000 per WSUS 3.0 server). been determined, the steps

, decide whether a local WSUS 3.0 server will be required. This will be determined by the number of clients on the site, the available bandwidth to

and whether or not there is a requirement for local control of update approvals. If a separate server is required, go to step

server, deploy the WSUS 3.0 server and decide is for a distributed management

If the requirement is for a ement style to allow global control of update approvals from an

, determine the upstream’ WSUS 3.0

upstream’ WSUS 3.0 Microsoft Update if the site has a fast

For WSUS 3.0 servers deployed in the centralised management style, replica mode will WSUS 3.0 server determined. The ‘upstream’ WSUS

update approvals and computer groups. The upstream’ WSUS 3.0 upstream’ WSUS 3.0

server or Microsoft Update if the site has a fast local Internet connection. For more

WSUS 3.0 server to point the , a centrally located WSUS 3.0

solution for sites with no for more information about the remote

multiple WSUS 3.0 servers, it is , however, that the failed

the client settings to facilitate the administration overhead of removing WSUS 3.0 clients from the database of

after they have been moved back to their original WSUS 3.0 server.


4.2 Choose a DatabaseA WSUS 3.0 server uses a database to store the following typ

� WSUS 3.0 server configuration information

� Metadata that describes each update

� Information about client computers, updates

Each WSUS 3.0 server requires its own database. database is required for each server databases on a single SQL Sbalanced WSUS 3.0 server clusterthis configuration, see section

4.2.1 WSUS 3.0 Database Software

While any database software that is 100there are two database software 3.0 server. It is recommended that one of the

� Windows Internal Database ships with WSUS 3.0. It is a size or connections. It lacks any user interface or tools, so all administration must be performed through the WSUS 3.0

� Microsoft SQL Server 200database software is selected, WSUS 3.0 requires SQL Server 2005 with Service Pack 1 or later. With SQL Server 2005, WSUS 3.0 supports running the database on a remote computer with some restrictions. For more information on remote SQL Server database

Regardless of the database software schema, and the management of WSUS supported. The database should be managed through the WSUS programmatically by calling WSUS

Note

Regardless of which database software is used, it is not possible to use SQL authentication. WSUS only supports Windows authentication.

When using Microsoft SQL Server 2005, it is advised that the SQL Server administrator nested triggers option in SQL Server 3.0 server setup enables the recursive triggers option, which is a databasehowever, enable the nested triggers option, which is a server global

The design decision around database choice is related and the maintenance options required to manage the WSUS 3.0 database. Both Windows Internal Database and Microsoft SQL Server 2005 will scale to infrastructure.

The only WSUS 3.0 configuration that requires the use of Microsoft SQL Server 2005a Network Load Balancing (NLB) cluster. For more information about WSUS 3.0 and NLBsection 4.5.2.


Choose a Database uses a database to store the following types of information:

WSUS 3.0 server configuration information

describes each update

client computers, updates and client interaction with updates

server requires its own database. If multiple WSUS 3.0 servers ex WSUS 3.0 server. WSUS 3.0 does not support multiple WSUS

databases on a single SQL Server instance. The only exception to this is a network load balanced WSUS 3.0 server cluster, using a SQL Server failover cluster. For more information on this configuration, see section 4.5.1.

Database Software Options

While any database software that is 100% compatible with Microsoft SQL Server can be used, two database software options available that have been tested extensivelt is recommended that one of these two options is used:

Windows Internal Database – Also known as SQL Server Embedded Edition, tships with WSUS 3.0. It is a free version of SQL Server that has no limisize or connections. It lacks any user interface or tools, so all administration must be

formed through the WSUS 3.0 console.

Microsoft SQL Server 2005 – This is a full-featured database from Micrososelected, WSUS 3.0 requires SQL Server 2005 with Service Pack 1 or

later. With SQL Server 2005, WSUS 3.0 supports running the database on a remote computer with some restrictions. For more information on the requirements for

database, see APPENDIX B.

database software that is chosen, modification of the WSUS and the management of WSUS 3.0 by accessing data directly in the database

supported. The database should be managed through the WSUS 3.0 console or programmatically by calling WSUS 3.0 Application Programming Interfaces (APIs).

dless of which database software is used, it is not possible to use SQL authentication. WSUS only supports Windows authentication.

When using Microsoft SQL Server 2005, it is advised that the SQL Server administrator on in SQL Server is enabled (default) before installing the WSUS

etup enables the recursive triggers option, which is a database-specific optionenable the nested triggers option, which is a server global option.

The design decision around database choice is related entirely to the level of administrative control and the maintenance options required to manage the WSUS 3.0 database. Both Windows Internal Database and Microsoft SQL Server 2005 will scale to support the limits of a WSUS 3.0 server

The only WSUS 3.0 configuration that requires the use of Microsoft SQL Server 2005a Network Load Balancing (NLB) cluster. For more information about WSUS 3.0 and NLB


Page 12

es of information:

and client interaction with updates

servers exist, a separate does not support multiple WSUS 3.0

erver instance. The only exception to this is a network load ailover cluster. For more information on

compatible with Microsoft SQL Server can be used, tested extensively with WSUS

Also known as SQL Server Embedded Edition, this database limitations for database

size or connections. It lacks any user interface or tools, so all administration must be

icrosoft. If this selected, WSUS 3.0 requires SQL Server 2005 with Service Pack 1 or

later. With SQL Server 2005, WSUS 3.0 supports running the database on a remote the requirements for configuring a

is chosen, modification of the WSUS 3.0 database by accessing data directly in the database, are not

console or managed Application Programming Interfaces (APIs).

dless of which database software is used, it is not possible to use SQL authentication. WSUS only

When using Microsoft SQL Server 2005, it is advised that the SQL Server administrator verifies that the WSUS 3.0 server. WSUS

specific option. It does not,

to the level of administrative control and the maintenance options required to manage the WSUS 3.0 database. Both Windows Internal

WSUS 3.0 server

The only WSUS 3.0 configuration that requires the use of Microsoft SQL Server 2005, is the use of a Network Load Balancing (NLB) cluster. For more information about WSUS 3.0 and NLB, see


4.3 Choose a Storage Location for UpdatesThere are two parts to the updatesinformation about the update, and the actual on a computer.

Metadata includes the information that describes what the update is for and the Agreements (EULAs). The metadata part is typically update, and it is stored in the WSUS

For the actual update binaries there are two options for storage locations. locally on the WSUS 3.0 server, or they can be stored remotely on Microsoft Update.3.0 server hierarchy, each server can choose its own update storage options.

4.3.1 Local Storage

Update files can be stored locally on the WSUS System (NTFS) partition. Storing updates locally on the WSUS Internet connection, as updates are only downloaded once from Microsoft Update. minimum requirement of 20 GB of hard disk space to store the updatesrecommended. The amount of hard disk space that is actually used depends on the products, classifications and language options that have been selected for download.

Note

For this guidance, only critical updates and security updates forsystems and Microsoft Office will be selected for download. In this configurationmaximum of 30 GB should not be exceeded. However, if additional products and classifications and/or language options are selected for download, it is possible that the recommended maximum of 30 GB could be exceeded.

4.3.2 Remote Storage

Update files can also be stored remotely on Microsoft Update servers. In this configurationWSUS 3.0 server only downloads the metadata assoadministrator then approves the updatefrom Microsoft Update.

Remote Storage is most useful in scenarios where 3.0 server. WSUS 3.0 clients (without a local distributed healthcare organisationcostly inter-site network to get updafiles directly from Microsoft Updatereducing the bandwidth impact on the site hosting the WSUS 3.0 server.a useful option for dialup/Virtual Private Network (remote locations. Clients can connect to the site over dialup/VPN connections, and with the WSUS 3.0 server to receive a list of approved updates. client can begin the download by connecting to Microsoft Update through the dialup/VPN connection. The client is not restricted to receiving the updates through this connection The client can also connect directlas it is still connected locally to the

Note

Whilst a dialup/VPN client is connected to the site, update downloads will take place over the dialup/VPN link. Consider using Background Intelligent Transfer Service (BITS) 2.0 prevent the clients from saturating the link. For more information on BITS and bandwidth limitation policies, see section 4.4.4.


Choose a Storage Location for Updates re are two parts to the updates distributed by WSUS 3.0; a metadata part that provides

information about the update, and the actual update binaries that are required to install the update

Metadata includes the information that describes what the update is for and the EULAs). The metadata part is typically much smaller than the size of the actual is stored in the WSUS 3.0 database.

binaries there are two options for storage locations. Updates can be stored rver, or they can be stored remotely on Microsoft Update.

3.0 server hierarchy, each server can choose its own update storage options.

Update files can be stored locally on the WSUS 3.0 server. The updates are stored on an partition. Storing updates locally on the WSUS 3.0 server saves bandwidth on the

as updates are only downloaded once from Microsoft Update. GB of hard disk space to store the updates locally, but 30 GB is

recommended. The amount of hard disk space that is actually used depends on the products, classifications and language options that have been selected for download.

For this guidance, only critical updates and security updates for Microsoft Windows desktop operating systems and Microsoft Office will be selected for download. In this configuration, the recommended maximum of 30 GB should not be exceeded. However, if additional products and classifications and/or

selected for download, it is possible that the recommended maximum of 30 GB

Remote Storage

Update files can also be stored remotely on Microsoft Update servers. In this configurationdownloads the metadata associated with an update. The WSUS

administrator then approves the update, and the WSUS 3.0 client downloads the update directly

useful in scenarios where the WSUS 3.0 clients do not have a local WSUS 3.0 server. WSUS 3.0 clients (without a local WSUS 3.0 server) in some parts of

healthcare organisation may connect to a WSUS 3.0 server across to get update approvals. The clients could then retrieve the actual update

files directly from Microsoft Update across a faster or less costly direct internet connectionreducing the bandwidth impact on the site hosting the WSUS 3.0 server. This configuration

Virtual Private Network (VPN) users who connect to the lients can connect to the site over dialup/VPN connections, and server to receive a list of approved updates. If approved updates are found, the

client can begin the download by connecting to Microsoft Update through the dialup/VPN t restricted to receiving the updates through this connection

also connect directly to Microsoft Update when the VPN link is disconnected, is still connected locally to the Internet.

Whilst a dialup/VPN client is connected to the site, update downloads will take place over the dialup/VPN Background Intelligent Transfer Service (BITS) 2.0 bandwidth limitation policies to

prevent the clients from saturating the link. For more information on BITS and bandwidth limitation


Page 13

a metadata part that provides that are required to install the update

Metadata includes the information that describes what the update is for and the End-User Licence much smaller than the size of the actual

Updates can be stored rver, or they can be stored remotely on Microsoft Update. In a WSUS

server. The updates are stored on an NT File server saves bandwidth on the

as updates are only downloaded once from Microsoft Update. There is a , but 30 GB is

recommended. The amount of hard disk space that is actually used depends on the products,

Microsoft Windows desktop operating the recommended

maximum of 30 GB should not be exceeded. However, if additional products and classifications and/or selected for download, it is possible that the recommended maximum of 30 GB

Update files can also be stored remotely on Microsoft Update servers. In this configuration, the ciated with an update. The WSUS 3.0 server

client downloads the update directly

do not have a local WSUS some parts of a geographically

across a slow, congested or ould then retrieve the actual update

direct internet connection, This configuration is also

users who connect to the network from lients can connect to the site over dialup/VPN connections, and communicate

If approved updates are found, the client can begin the download by connecting to Microsoft Update through the dialup/VPN

t restricted to receiving the updates through this connection however. y to Microsoft Update when the VPN link is disconnected, as long

Whilst a dialup/VPN client is connected to the site, update downloads will take place over the dialup/VPN bandwidth limitation policies to

prevent the clients from saturating the link. For more information on BITS and bandwidth limitation


This scenario has the advantage of faster downloads for distributed clientsbandwidth savings for the sites hosting the WSUS 3.0 serversapprovals from.

Information

Remote storage can be configured as part of the setup process, but can also be configured after the server has been installed using the WSUS

The storage option selected applies to all clients connected supporting sufficient numbers of both local and remote clients, consider deploying more than one WSUS 3.0 server with different storage options selected.

Figure 7 depicts an environment where one WSUS 3.0 server is configured with local storage to handle local clients, and a second WSUS 3.0 server is configured with remote storage to handle remotely located clients.

Figure 7: WSUS 3.0 Storage Options

4.4 Determine Bandwidth OptionsWSUS 3.0 requires a number of decisions Update because of the impact on bandwidth usage.

4.4.1 Deferring Update Downloads

WSUS 3.0 allows the synchronisation of update metadata before the download of the actual update files. In this scenario, update files are only downloaded after the update has been approved, saving the unnecessary use of bandwidth and disk space.

In a WSUS 3.0 server hierarchy, deferred download option that is selected on the highest are first linked. If deferred downloads an update that has not been approved on the download on the ‘upstream’ WSUS 3.0 server. The downloads the content from the leading to potential delays between content requests and availability.


scenario has the advantage of faster downloads for distributed clients. It also providesbandwidth savings for the sites hosting the WSUS 3.0 servers that the clients are retrie

Remote storage can be configured as part of the setup process, but can also be configured after the server has been installed using the WSUS 3.0 console.

he storage option selected applies to all clients connected to a WSUS 3.0 server. If a single site is supporting sufficient numbers of both local and remote clients, consider deploying more than one WSUS 3.0 server with different storage options selected.

depicts an environment where one WSUS 3.0 server is configured with local storage to handle local clients, and a second WSUS 3.0 server is configured with remote storage to handle

Determine Bandwidth Options WSUS 3.0 requires a number of decisions to be made about how to synchronise with Microsoft

impact on bandwidth usage.

Deferring Update Downloads

allows the synchronisation of update metadata before the download of the actual update files. In this scenario, update files are only downloaded after the update has been approved, saving the unnecessary use of bandwidth and disk space.

r hierarchy, ‘downstream’ WSUS 3.0 servers are automatically set to use the deferred download option that is selected on the highest ‘upstream’ WSUS 3.0 server when they are first linked. If deferred downloads are enabled and a ‘downstream’ WSUS 3.0 serveran update that has not been approved on the ‘upstream’ WSUS 3.0 server, the request triggers a

WSUS 3.0 server. The ‘downstream’ WSUS 3.0 server then only downloads the content from the ‘upstream’ WSUS 3.0 server during a subsequent synchronisation, leading to potential delays between content requests and availability.


Page 14

. It also provides network the clients are retrieving update

Remote storage can be configured as part of the setup process, but can also be configured after the

to a WSUS 3.0 server. If a single site is supporting sufficient numbers of both local and remote clients, consider deploying more than one

depicts an environment where one WSUS 3.0 server is configured with local storage to handle local clients, and a second WSUS 3.0 server is configured with remote storage to handle

about how to synchronise with Microsoft

allows the synchronisation of update metadata before the download of the actual update files. In this scenario, update files are only downloaded after the update has been approved, saving

WSUS 3.0 servers are automatically set to use the WSUS 3.0 server when they

WSUS 3.0 server requests WSUS 3.0 server, the request triggers a

WSUS 3.0 server then only a subsequent synchronisation,


Recommendation

Deferred updates are not the recommended option when employing a hierarchy of WSUS 3.0 servers. This is because there may be a delay in diswhen a server is situated more than one level deep in a hierarchy of WSUS 3.0 servers.

Note

Deferring the download of updates is the default WSUS 3.0 configuration when chooslocally. This option can be changed

4.4.2 Configurable Content Source

WSUS 3.0 allows administrators to split replica download across two different connections. For example, a with a slow or heavily used WAN high-speed Internet connectivityinformation across the WAN. It Update servers using the local

This functionality would allow healthcare organisationscongested private inter-site network links, but each with direct internet connectionsimpact on bandwidth to the site or sites hosting its

Figure 8 depicts an environment where a downstream replica WSUS 3.0 server is configured to synchronise update metadata from an upstream WSUS 3.0 server, and download update files directly from Microsoft Update.

Figure 8: WSUS 3.0 Configurable Content Source

4.4.3 Filtering Updates

With WSUS 3.0, it is possible to filter the updates synchronised by language, product and classification. WSUS 3.0 automatically sets all filtering options that are selected on the WSUS 3.0 server, this configuration supported by its ‘upstream’ WSUS 3.0

Note

Microsoft recommends limitingdisk space.


pdates are not the recommended option when employing a hierarchy of WSUS 3.0 servers. This is because there may be a delay in distributing updates to downstream clients. This is especially true when a server is situated more than one level deep in a hierarchy of WSUS 3.0 servers.

Deferring the download of updates is the default WSUS 3.0 configuration when chooscan be changed manually via the WSUS 3.0 console.

Configurable Content Source

WSUS 3.0 allows administrators to split replica WSUS 3.0 server communication and content download across two different connections. For example, a ‘downstream’ replica

WAN connection to its ‘upstream’ WSUS 3.0 server speed Internet connectivity, can synchronise update metadata, computer groups, and status

. It can then download approved update content directly local high-speed Internet connection.

healthcare organisations with multiple sites connected via ite network links, but each with direct internet connections

impact on bandwidth to the site or sites hosting its ‘upstream’ WSUS 3.0 servers.

depicts an environment where a downstream replica WSUS 3.0 server is configured to synchronise update metadata from an upstream WSUS 3.0 server, and download update files directly from Microsoft Update.

Configurable Content Source

Filtering Updates

it is possible to filter the updates synchronised by language, product and WSUS 3.0 automatically sets all ‘downstream’ WSUS 3.0 servers to use the update

re selected on the highest ‘upstream’ WSUS 3.0 server. On a this configuration can be changed to synchronise only a subset of l

WSUS 3.0 server.

ing languages to the ones actually used, in order to conserve bandwidth and


Page 15

pdates are not the recommended option when employing a hierarchy of WSUS 3.0 servers. tributing updates to downstream clients. This is especially true

when a server is situated more than one level deep in a hierarchy of WSUS 3.0 servers.

Deferring the download of updates is the default WSUS 3.0 configuration when choosing to store updates

server communication and content replica WSUS 3.0 server

WSUS 3.0 server along with local e update metadata, computer groups, and status

directly from Microsoft

with multiple sites connected via the slow or ite network links, but each with direct internet connections, to reduce the

WSUS 3.0 servers.

depicts an environment where a downstream replica WSUS 3.0 server is configured to synchronise update metadata from an upstream WSUS 3.0 server, and download update files

it is possible to filter the updates synchronised by language, product and WSUS 3.0 servers to use the update

On a ‘downstream’ a subset of languages

in order to conserve bandwidth and


4.4.4 Background Intelligent Transfer Service 2.0

BITS is installed by default on upgraded, if necessary, to BITS 2.0 when the client first connects to the WSUS 2.0 can be configured to use no more than a defined amount of bandwidthlimitation policies. Bandwidth limitation policies are implemented through Group Policy or reentries and limit the amount of bandwidth that BITS is allowed to use. If bandwidth limitation policies are not implemented, BITS may consume large amounts of WAN bandwidth. For more information on BITS 2.0 and BITS bandwidth limitation policies, seServices 3.0 Operations Guide

Important

Be aware that when implementing BITS bandwidth limitation policies, all abe affected by the policy.

When clients download updates from a WSUS 3.0 server across a WAN link, it is recommended that appropriate BITS bandwidth limitation policies are implemented.

4.4.5 Background Intelligent Transfer Ser

Improvements in the Automatic Updates functionality in a WSUS 3.0 environment that is Vista can take advantage of BITS 3.0 peercomputers in the same domain and on the same IP subnet.server, this allows Windows Vista computers to share update content.

BITS 3.0 peer caching can therefore reduce the impact on available bandwidth forserver. If a large percentage of computers rely on BITS 3.0 peer caching instead of a

Note

BITS 3.0 peer caching can only be enabled through Group Policy. For more information on enabling BITS 3.0 peer caching, see the Windows Server Update Services 3.0 Operations Guide

4.4.6 Express Installation Files

Express installation files can be used to the limit the amount of bandwidth consumed on a Local Area Network (LAN), between a WSUS 3.0 server and WSUS 3.0 clients.expense of Internet bandwidth and disk space on the WSUS 3.0 server.

Typical updates contain new versions of files that already exist on the computer being updated. To apply the update, the new file is downloaded tothe express installation files featurefiles are identified, and only these differences are downloaded to the clmerges the differences with the original file on the client computer to create the new version.

The size of the update downloaded from Microsoft Update to the WSUS 3.0 server is in the order of three times larger than the size of a nowill always be smaller than normal update filefiles on the computer being updated.

The express installation files feature is not suitable for abeen deemed suitable by Microsoft to use the feature will be able to do so. When the express installation files feature is enabled, updates that don’t support this feature will continue to be distributed in the normal way, that is, the new fileoverwritten.


Background Intelligent Transfer Service 2.0

BITS is installed by default on all the supported desktop operating systems for WSUS 3.0to BITS 2.0 when the client first connects to the WSUS

2.0 can be configured to use no more than a defined amount of bandwidth, through bandwidth limitation policies. Bandwidth limitation policies are implemented through Group Policy or reentries and limit the amount of bandwidth that BITS is allowed to use. If bandwidth limitation policies are not implemented, BITS may consume large amounts of WAN bandwidth. For more information on BITS 2.0 and BITS bandwidth limitation policies, see the Windows Server Update Services 3.0 Operations Guide {R1}.

Be aware that when implementing BITS bandwidth limitation policies, all applications that utilise BITS will

When clients download updates from a WSUS 3.0 server across a WAN link, it is recommended that appropriate BITS bandwidth limitation policies are implemented.

Background Intelligent Transfer Service 3.0 Peer Caching

rovements in the Automatic Updates client BITS 3.0 on Windows Vista providein a WSUS 3.0 environment that is not available to other operating systems. Windows

Vista can take advantage of BITS 3.0 peer caching to share content with other Windows Vista computers in the same domain and on the same IP subnet. When connected to a WSUS 3.0 server, this allows Windows Vista computers to share update content.

therefore significantly reduce the load on WSUS 3.0 servers.reduce the impact on available bandwidth for remote sites which don’t have a local WSUS server. If a large percentage of computers at a remote site run Windows Vista, it

caching instead of a deploying a replica WSUS 3.0 server.

caching can only be enabled through Group Policy. For more information on enabling BITS Windows Server Update Services 3.0 Operations Guide {

Express Installation Files

Express installation files can be used to the limit the amount of bandwidth consumed on a Local n a WSUS 3.0 server and WSUS 3.0 clients. This is achieved at the

of Internet bandwidth and disk space on the WSUS 3.0 server.

Typical updates contain new versions of files that already exist on the computer being updated. To new file is downloaded to the computer and overwrites the existing file.

he express installation files feature is enabled, the exact bytes that are different in new versions of files are identified, and only these differences are downloaded to the client. The update then merges the differences with the original file on the client computer to create the new version.

The size of the update downloaded from Microsoft Update to the WSUS 3.0 server is in the order of three times larger than the size of a normal update. The size of the update downloadedwill always be smaller than normal update files, but varies depending on the current files on the computer being updated.

The express installation files feature is not suitable for all updates. Only those updates that have been deemed suitable by Microsoft to use the feature will be able to do so. When the express installation files feature is enabled, updates that don’t support this feature will continue to be

al way, that is, the new files will be downloaded and the existing file


Page 16

all the supported desktop operating systems for WSUS 3.0, and is to BITS 2.0 when the client first connects to the WSUS 3.0 server. BITS

through bandwidth limitation policies. Bandwidth limitation policies are implemented through Group Policy or registry entries and limit the amount of bandwidth that BITS is allowed to use. If bandwidth limitation policies are not implemented, BITS may consume large amounts of WAN bandwidth. For more

Windows Server Update

pplications that utilise BITS will

When clients download updates from a WSUS 3.0 server across a WAN link, it is recommended that

Caching

on Windows Vista provide additional other operating systems. Windows

caching to share content with other Windows Vista When connected to a WSUS 3.0

duce the load on WSUS 3.0 servers. It can also a local WSUS 3.0 , it may be possible to

server.

caching can only be enabled through Group Policy. For more information on enabling BITS {R1}.

Express installation files can be used to the limit the amount of bandwidth consumed on a Local This is achieved at the

Typical updates contain new versions of files that already exist on the computer being updated. To e computer and overwrites the existing file. When

is enabled, the exact bytes that are different in new versions of ient. The update then

merges the differences with the original file on the client computer to create the new version.

The size of the update downloaded from Microsoft Update to the WSUS 3.0 server is in the order of rmal update. The size of the update downloaded to clients

current version of the

ll updates. Only those updates that have been deemed suitable by Microsoft to use the feature will be able to do so. When the express installation files feature is enabled, updates that don’t support this feature will continue to be

will be downloaded and the existing files


Note

By default, the express installation files feature is disabled. If updates are not being stored locally on the WSUS 3.0 server, it will not be possible to enable the

4.5 Determine Capacity RequirementsThe hardware specification of WSUS database software requirements are driven by the number of WSUSa WSUS 3.0 server. The following table providedatabase software requirementsserver for updates.

Note

The hardware recommendations below are based on a sthis is the recommended configuration, it is possible to run WSUSWhen running WSUS 3.0 in such a configuration, be sure to account for the additional processing, memory and disk requirements of the additional server application

Table 2 shows the minimum requirements for a WSUS

Hardware CPU

<500 clients 1GHz or faster processor

500-3,000 clients 2GHz or faster processor

3,000-10,000 clients, or rollup of 30,000 clients

3GHz or faster processor

10,000-20,000 clients, or rollup of 100,000 clients

3GHz or faster dual processor

Table 2: Hardware Recommendations

These recommendations are based on default settings which do not take into account factors such as increasing the automatic updates detection frequency. This defines how often the client communicates with the WSUS 3.0 server. The more often a client communserver, the greater the performance impact on the server. For more information on the automatic updates detection frequency, see the

Note

The guidelines in Table 2 assume that WSUS 3.0 clients are synchronising with the WSUS 3.0 servevery eight hours.

4.5.1 Native x64 Support

WSUS 3.0 is available in a native 64x64 Edition. This version is appropriate for x64benefits for large environments. For example, up to 20,000 clients are supported on a single server using the x64 version of WSUS 3.0.

Note

Should the WSUS 3.0 server be used as a distribution server for any stage, please be aware thatForefront Client Security on the 64


By default, the express installation files feature is disabled. If updates are not being stored locally on the WSUS 3.0 server, it will not be possible to enable the express installation files feature.

Determine Capacity Requirements The hardware specification of WSUS 3.0 servers must be properly scoped. The hardware and database software requirements are driven by the number of WSUS 3.0 clients that are serviced by

server. The following table provides recommendations on the server hardware and database software requirements, based on the number of clients connecting to the WSUS

he hardware recommendations below are based on a server that is dedicated to WSUSthis is the recommended configuration, it is possible to run WSUS 3.0 alongside other server applications.

in such a configuration, be sure to account for the additional processing, and disk requirements of the additional server application. In addition, perform adequate testing.

shows the minimum requirements for a WSUS 3.0 server based on the number

CPU Architecture RAM Network Card


i386 1GB 10MB


i386 2GB 100MB


i386 2GB 1GB

3GHz or faster dual processor

x64 4GB 1GB

These recommendations are based on default settings which do not take into account factors such as increasing the automatic updates detection frequency. This defines how often the client communicates with the WSUS 3.0 server. The more often a client communicates with a WSUS 3.0 server, the greater the performance impact on the server. For more information on the automatic updates detection frequency, see the Windows Server Update Services 3.0 Operations Guide

assume that WSUS 3.0 clients are synchronising with the WSUS 3.0 serv

Native x64 Support

WSUS 3.0 is available in a native 64-bit version (x64) for use on Microsoft Windows Server 2003 x64 Edition. This version is appropriate for x64-compatible hardware, and offers specific scale

nvironments. For example, up to 20,000 clients are supported on a single server using the x64 version of WSUS 3.0.

Should the WSUS 3.0 server be used as a distribution server for Microsoft® Forefrontany stage, please be aware that Microsoft does not support installing the Distribution Server component of

the 64-bit version of WSUS 3.0 server.


Page 17

By default, the express installation files feature is disabled. If updates are not being stored locally on the express installation files feature.

servers must be properly scoped. The hardware and clients that are serviced by

recommendations on the server hardware and based on the number of clients connecting to the WSUS 3.0

erver that is dedicated to WSUS 3.0. Although alongside other server applications.

in such a configuration, be sure to account for the additional processing, perform adequate testing.

based on the number of clients.

Database

Windows Internal Database

Windows Internal Database

Windows Internal Database or SQL Server 2005 SP1 or later

Windows Internal Database or SQL Server 2005 SP1 or later

These recommendations are based on default settings which do not take into account factors such as increasing the automatic updates detection frequency. This defines how often the client

icates with a WSUS 3.0 server, the greater the performance impact on the server. For more information on the automatic

Windows Server Update Services 3.0 Operations Guide {R1}.

assume that WSUS 3.0 clients are synchronising with the WSUS 3.0 server

bit version (x64) for use on Microsoft Windows Server 2003 compatible hardware, and offers specific scale-up

nvironments. For example, up to 20,000 clients are supported on a single server

Forefront™ Client Security at Microsoft does not support installing the Distribution Server component of


4.5.2 Network Load Balancing

WSUS 3.0 supports Network Load Balancing (large environments. By using NLB, two to four frontWSUS 3.0 clients, as a single planned maintenance or an unplanned component faithe remaining NLB member or members

Note

NLB clustering requires that the WSUS 3.0 database database is stored on a separate server. Additionally, NLB clustof clients supported by a single WSUS server.

WSUS 3.0 servers configured in an NLB cluster to store their content. See APPENDIX CMicrosoft SQL Server 2005 for

4.5.3 Microsoft SQL Server 2005 Cluster Support

WSUS 3.0 now supports Microsoft SQL Server 2005 clusenvironments with a back-end database server. Microsoft SQL Server 2005 clustering can be used with a single front-end WSUS 3.0 serverWSUS 3.0 servers.


etwork Load Balancing Clusters

Network Load Balancing (NLB), a high-availability technology large environments. By using NLB, two to four front-end WSUS 3.0 servers present themselves

a single WSUS 3.0 server. If a front-end WSUS 3.0 server goes offline for planned maintenance or an unplanned component failure, clients continue to receive updates from

or members.

NLB clustering requires that the WSUS 3.0 database software is Microsoft SQL Server 2005stored on a separate server. Additionally, NLB clustering does not increase the total number

of clients supported by a single WSUS server.

configured in an NLB cluster can also use a Distributed File ShareAPPENDIX C for more information about configuring WSUS for NLB.

Microsoft SQL Server 2005 Cluster Support

WSUS 3.0 now supports Microsoft SQL Server 2005 clustering to provide high-end database server. Microsoft SQL Server 2005 clustering can be used

end WSUS 3.0 server, or as part of a fully-redundant design with NLB front


Page 18

availability technology appropriate for end WSUS 3.0 servers present themselves, to

server goes offline for clients continue to receive updates from

software is Microsoft SQL Server 2005, and that the ering does not increase the total number

Distributed File Share (DFS) share for more information about configuring WSUS 3.0 and

-availability for end database server. Microsoft SQL Server 2005 clustering can be used

redundant design with NLB front-end


5 STABILISE

The Stabilise phase involves testing the solution componentsand resolving and prioritising any issues that are found. Testing during this phase emphasises usage and operation of the solution components under

This involves testing and acceptance of

Figure 9 acts as a high-level checklist, illustrating the critical components anresponsible for stabilising the design of

Figure 9: Sequence for Stabilising WSUS 3.0

5.1 Areas for TestingWhen testing a WSUS 3.0 server lab environment before deploying to the should mirror the live network environment as closely as possible. Once testing is complete in the test network environment, the solution cantesting should be performed. In both test scenariostest plan:

� Server installation and configuration

� Network and WAN bandwidth utilisation

5.1.1 Server Installation

There are a number of design decisionsdecisions were discussed as part of the in the Plan phase to ensure they deliver the desired outcomeshould be thoroughly tested:

� Single server or server

� Centralised or distributed management style

� Local or remote storage

� Database software used

� Hardware used

The installation of WSUS 3.0 is discussed in the the Plan and Deploy phases, as

5.1.2 Client Configuration Settings

The WSUS 3.0 clients need to be configured to connect tPolicy settings or registry entries. The configuration of the client is discussed in the Server Update Services 3.0 Operations Guidethe configuration of WSUS 3.0 clients and test the configuration on all of thesystem versions in the healthcare organisationclients can successfully communicate with and receive software updates from the WSUS server.


The Stabilise phase involves testing the solution components, the features of which resolving and prioritising any issues that are found. Testing during this phase emphasises

usage and operation of the solution components under realistic environmental conditions.

olves testing and acceptance of WSUS 3.0.

level checklist, illustrating the critical components an IT professionalresponsible for stabilising the design of WSUS 3.0, needs to determine.

Areas for Testing 3.0 server implementation it is recommended the deploymen

lab environment before deploying to the healthcare organisation’s live network. This test network should mirror the live network environment as closely as possible. Once testing is complete in the test network environment, the solution can be deployed to the live network environment, and further testing should be performed. In both test scenarios, the following areas should be covered in the

and configuration

Network and WAN bandwidth utilisation

lation

design decisions available when deploying a WSUS 3.0were discussed as part of the Plan phase in section 4. Test the decisions

they deliver the desired outcome. The following design decisions

server or server hierarchy deployment type

Centralised or distributed management style

Local or remote storage

Database software used

is discussed in the Deploy phase in section 6. Use the information in , as detailed in this document, to perform the testing.

Client Configuration Settings

clients need to be configured to connect to a WSUS 3.0 server through Group Policy settings or registry entries. The configuration of the client is discussed in the

Operations Guide {R1} that accompanies this document.the configuration of WSUS 3.0 clients and test the configuration on all of the client operating

healthcare organisation’s network environment. Ensure that thecan successfully communicate with and receive software updates from the WSUS


Page 19

of which are complete, resolving and prioritising any issues that are found. Testing during this phase emphasises

realistic environmental conditions.

IT professional,

implementation it is recommended the deployment be tested in a live network. This test network

should mirror the live network environment as closely as possible. Once testing is complete in the be deployed to the live network environment, and further

the following areas should be covered in the

WSUS 3.0 server. These decisions that were made

design decisions

. Use the information in to perform the testing.

server through Group Policy settings or registry entries. The configuration of the client is discussed in the Windows

that accompanies this document. Decide on client operating

nsure that the WSUS 3.0 can successfully communicate with and receive software updates from the WSUS 3.0


5.1.3 Network and W

When WSUS 3.0 clients download updates from a WSUS to use idle bandwidth but is not aware of the link speed or utilisation of the network past its own local Network Interface Card (NIC). This means that if there is a slow section of the network between the WSUS 3.0 client and updates could potentially saturate the link. It is possible to limit the amount of bandwidth that is used, by using BITS 2.0 with bandwidth limitation policiesPolicy or registry entries. For more information onsee section 4.4.4. Perform testing to ensure that software update downloads will not saturate links and cause network outages.


Network and Wide Area Network Bandwidth Utilisation

clients download updates from a WSUS 3.0 server, BITS is used. BITS attempts ut is not aware of the link speed or utilisation of the network past its own

local Network Interface Card (NIC). This means that if there is a slow section of the network client and WSUS 3.0 server, such as a WAN link, the download of

updates could potentially saturate the link. It is possible to limit the amount of bandwidth that is by using BITS 2.0 with bandwidth limitation policies, which can be applied through Group

Policy or registry entries. For more information on using BITS 2.0 with bandwidth limitation policies, . Perform testing to ensure that software update downloads will not saturate links


Page 20

Bandwidth Utilisation

BITS is used. BITS attempts ut is not aware of the link speed or utilisation of the network past its own

local Network Interface Card (NIC). This means that if there is a slow section of the network server, such as a WAN link, the download of software

updates could potentially saturate the link. It is possible to limit the amount of bandwidth that is can be applied through Group

using BITS 2.0 with bandwidth limitation policies, . Perform testing to ensure that software update downloads will not saturate links


6 DEPLOY

During the Deploy phase, the core solution components are deployed for more widespread application and use, and the deployment is stabilised through ongoing monitoring. The solution is then transitioned to operations and support.

Figure 10 acts as a high-level checklist, illustrating the critical components which an IT Professional, responsible for deploying

Figure 10: Sequence for Deploying WSUS 3.0

6.1 Installing the WSUS

6.1.1 Co-Existence

It is recommended that WSUS 3.0 server is always installed on a server that does not run any other server applications and servicesis necessary to install WSUS 3.0 on a server that currently runs other server applications and services, bear the following points in mind:

� Wherever possible, avoid installing WSUS 3.0 on a Domain Contrsecurity

� When installing WSUS 3.0 on a server that hosts other Webare no conflicts or additional installation requirements. It is recommended that if a Web site already exists on a server; WSUS 3.0 is iWSUS 3.0 using a custom Web site, there must still be a Web site on port 80 for hosting the ‘SelfUpdate’ tree. For more information on installing WSUS using a custom Web site, see section 6.1.3.1. For more information on the

� Monitor the performance of the server before and after installing WSUS 3.0 to ensure that there are no significant performance bottlenecks


During the Deploy phase, the core solution components are deployed for more widespread application and use, and the deployment is stabilised through ongoing monitoring. The solution is then transitioned to operations and support.

level checklist, illustrating the critical components which an IT responsible for deploying WSUS 3.0, needs to determine.

WSUS 3.0

Installing the WSUS 3.0 Server

It is recommended that WSUS 3.0 server is always installed on a server that does not run any other server applications and services, other than those required to run WSUS 3.0 server. However, if it is necessary to install WSUS 3.0 on a server that currently runs other server applications and services, bear the following points in mind:

Wherever possible, avoid installing WSUS 3.0 on a Domain Controller as this decreases

hen installing WSUS 3.0 on a server that hosts other Web-based servicesare no conflicts or additional installation requirements. It is recommended that if a Web site already exists on a server; WSUS 3.0 is installed using a custom Web site. When installing WSUS 3.0 using a custom Web site, there must still be a Web site on port 80 for hosting

tree. For more information on installing WSUS using a custom Web site, For more information on the ‘SelfUpdate’ tree, see section

Monitor the performance of the server before and after installing WSUS 3.0 to ensure that there are no significant performance bottlenecks


Page 21

During the Deploy phase, the core solution components are deployed for more widespread application and use, and the deployment is stabilised through ongoing monitoring. The solution is

level checklist, illustrating the critical components which an IT

It is recommended that WSUS 3.0 server is always installed on a server that does not run any other those required to run WSUS 3.0 server. However, if it

is necessary to install WSUS 3.0 on a server that currently runs other server applications and

oller as this decreases

based services, ensure there are no conflicts or additional installation requirements. It is recommended that if a Web site

nstalled using a custom Web site. When installing WSUS 3.0 using a custom Web site, there must still be a Web site on port 80 for hosting

tree. For more information on installing WSUS using a custom Web site, tree, see section 6.3.2.

Monitor the performance of the server before and after installing WSUS 3.0 to ensure that



The following prerequisites need to be considered before installing WSUS

� Privileges

� Permissions

� Internet access

� Disks and partitions

� Software

6.1.2.1 Privileges

To install WSUS 3.0, local administrator privileges are required on the WSUS 3.0 server. During installation, a group called ‘WSUS Administrators’ is created. This group provides the permissions required for administration of WSUS 3.0. Assigning users to this group after installation, removes the need to provide local administrator privilegesWSUS 3.0.

6.1.2.2 Permissions

Before starting the WSUS 3.0 swhere WSUS 3.0 will store updatespermissions on the root drive where updatespermissions set.

To check permissions on the drive and directories where updates are stored

1. Double-click My Computer

2. Right-click the drive where updates are stored, and then click

3. Ensure that the drive has read permissions for the builtAuthority\Network Service

4. Ensure that the root folder on the drive also has read permissions Authority\Network Service

5. Ensure that the content directory itself (usually <drivename>:read permissions for NT Authorityset by the installation program.

6.1.2.3 Internet Access

If Internet access is restricted through the firewall or proxy server, ensure the configuration allows the WSUS 3.0 server, or serverconfigured to use Remote Storage, also ensure that the WSUS Update. The configuration should allow outbound TCP ports 80 and 443.

Note

All connections to Microsoft Update are initiated by the WSUSthere are no configuration considerations f

Although connections to Microsoft Update must always use ports 80 and 443, it is possible to configure WSUS servers to synchronise with each other using a custom port.see section 6.1.3.


Installation Prerequisites

tes need to be considered before installing WSUS 3.0.

To install WSUS 3.0, local administrator privileges are required on the WSUS 3.0 server. During ‘WSUS Administrators’ is created. This group provides the permissions

required for administration of WSUS 3.0. Assigning users to this group after installation, removes the need to provide local administrator privileges on the WSUS 3.0 server for th

3.0 setup, ensure that the root of the drive (not the system partition store updates, has certain permissions. WSUS 3.0 setup does not modify

oot drive where updates are stored, but this drive may not have

To check permissions on the drive and directories where updates are stored

My Computer.

click the drive where updates are stored, and then click Sharing and Security

Ensure that the drive has read permissions for the built-in Users group or Network Service.

Ensure that the root folder on the drive also has read permissions for NTNetwork Service.

Ensure that the content directory itself (usually <drivename>:\WSUS\WsusContent) has NT Authority\Network Service. These permissions should have been

set by the installation program.

Internet Access

nternet access is restricted through the firewall or proxy server, ensure the configuration allows or servers, access to Microsoft Update. If there are WSUS

configured to use Remote Storage, also ensure that the WSUS 3.0 clients have access to Microsoft Update. The configuration should allow outbound TCP ports 80 and 443.

All connections to Microsoft Update are initiated by the WSUS 3.0 server or WSUS there are no configuration considerations for Windows Firewall on the server or client operating system.

Although connections to Microsoft Update must always use ports 80 and 443, it is possible to configure WSUS servers to synchronise with each other using a custom port. For more information


Page 22

To install WSUS 3.0, local administrator privileges are required on the WSUS 3.0 server. During ‘WSUS Administrators’ is created. This group provides the permissions

required for administration of WSUS 3.0. Assigning users to this group after installation, removes for the administration of

(not the system partition – C:\) etup does not modify

, but this drive may not have the appropriate

To check permissions on the drive and directories where updates are stored:

Sharing and Security.

in Users group or NT

NT

WsusContent) has . These permissions should have been

nternet access is restricted through the firewall or proxy server, ensure the configuration allows Microsoft Update. If there are WSUS 3.0 servers

clients have access to Microsoft

server or WSUS 3.0 client. Therefore, or Windows Firewall on the server or client operating system.

Although connections to Microsoft Update must always use ports 80 and 443, it is possible to For more information,


When a firewall or proxy server is configured to filter possible to enter a list of permittdomains should never be entered as they are liable to change from time to time. Ensure the following domains are allowed in the firewall or proxy server’s configuration:

� http://windowsupdate.microsoft.com

� http://*.windowsupdate.microsoft.com

� https://*.windowsupdate.microsoft.com

� http://*.update.microsoft.com

� https://*.update.microsoft.com

� http://*.windowsupdate.com

� http://download.windowsupdate.com

� http://download.microsoft.com

� http://*.download.windows

� http://test.stats.update

� http://ntservicepack.microsoft.com

6.1.2.4 Disks and Partitions

There are a number of requirements for disk and partition configuration on the servers that will host WSUS 3.0. The following list details these requi

� Both the system partition and the partition to which WSUS formatted with the NTFS file system

� A minimum of 1 GB of free space is required for the system partition

� A minimum of 20 GB of free space is required for the volume where WSUS content; 30 GB is the recommended amount, though it is possible that in some circumstances, more space may be necessaryare selected

� A minimum of 2 GB of free space is required on the volume where WSUS the Windows Internal Database.100% compatible with SQL Server, ensure that enough free disk space is available on tpartition where the database content is stored

Table 3 below lists the recommended disk configuration for a WSUS 3.0 server.

Array RAID Level Data

1 (C:) 1 System: Operating system (including page file)

2 (D:) 10 or 5 Data: WSUS 3.0

Table 3: Disk Configuration Recommendations

Note

WSUS 3.0 cannot be installed on compressed drives. Please check that the driveinstalled is not compressed.


When a firewall or proxy server is configured to filter Internet requests by domain name, it is permitted domains. However, the corresponding IP addresses of these

domains should never be entered as they are liable to change from time to time. Ensure the following domains are allowed in the firewall or proxy server’s configuration:

http://windowsupdate.microsoft.com

tp://*.windowsupdate.microsoft.com

https://*.windowsupdate.microsoft.com

http://*.update.microsoft.com

https://*.update.microsoft.com

http://*.windowsupdate.com

http://download.windowsupdate.com

http://download.microsoft.com

http://*.download.windowsupdate.com

test.stats.update.windows.com

http://ntservicepack.microsoft.com

Disks and Partitions

There are a number of requirements for disk and partition configuration on the servers that will host . The following list details these requirements:

Both the system partition and the partition to which WSUS 3.0 will be installed, must be formatted with the NTFS file system

A minimum of 1 GB of free space is required for the system partition

GB of free space is required for the volume where WSUS content; 30 GB is the recommended amount, though it is possible that in some

more space may be necessary if additional update categories or languages

um of 2 GB of free space is required on the volume where WSUS Windows Internal Database. If Microsoft SQL Server 2005 is used, or a product that is

compatible with SQL Server, ensure that enough free disk space is available on tpartition where the database content is stored

below lists the recommended disk configuration for a WSUS 3.0 server.

System: Operating system (including page file), Windows Internal Database and WSUS 3.0 files

WSUS 3.0 database and content files

: Disk Configuration Recommendations

installed on compressed drives. Please check that the drive on which


Page 23

nternet requests by domain name, it is owever, the corresponding IP addresses of these

domains should never be entered as they are liable to change from time to time. Ensure the

There are a number of requirements for disk and partition configuration on the servers that will host

will be installed, must be

GB of free space is required for the volume where WSUS 3.0 stores its content; 30 GB is the recommended amount, though it is possible that in some

if additional update categories or languages

um of 2 GB of free space is required on the volume where WSUS 3.0 setup installs If Microsoft SQL Server 2005 is used, or a product that is

compatible with SQL Server, ensure that enough free disk space is available on the

below lists the recommended disk configuration for a WSUS 3.0 server.

, Windows Internal Database and WSUS 3.0 files

on which WSUS 3.0 is


6.1.2.5 Software

There are a number of software requirements for the installation of WSUSserver must be installed on Windows Server additional software requirements:

� Microsoft Internet Information Services (IIS) 6.0

� Microsoft .NET Framework 2.0

� Microsoft Management Console 3.0

� Microsoft Report Viewer Redistributable 2005

� Windows Internal Database,that is 100% compatible with

Note

After installing Microsoft SQL Server 20053.0.

Table 4 provides the links to download the software

Software

Microsoft .NET Framework Version 2.0 Redistributable Package

Microsoft .NET Framework Version 2.0 Redistributable Package (x64)

Microsoft Management Console 3.0 for Windows Server 2003 (x86)


Microsoft Report Viewer Redistributable

Table 4: Server Software Download Links

6.1.3 Installing Microsoft Internet Information Services

As detailed in section 6.1.2, WSUS 3.0the WSUS 3.0 server. By default, WSUS WSUS 3.0 setup provides the option to create a new Web site on a custom port.

If IIS 6.0 is already installed and the IIS service (W3SVC) has been stopped, WSUS setup will start the service. If the

To install IIS 6.0 on Windows Server 2003:

1. Click Start, click Control Panel

2. Click Add/Remove Windows Components

3. In the Components list

4. Click Details and ensure ASP.NET is selected.

5. Click OK, click Next and

Note

By default, IIS writes logging information to the files contain useful information about client connections to the WSUS 3.0 server. However, by default these files are not deleted and can these files, or alternatively, use the Internet Services Manager files to a drive with sufficient space.


There are a number of software requirements for the installation of WSUS 3.0 serverserver must be installed on Windows Server 2003 SP1 or later. The following list details the

software requirements:

Microsoft Internet Information Services (IIS) 6.0

Microsoft .NET Framework 2.0

Microsoft Management Console 3.0

Microsoft Report Viewer Redistributable 2005

l Database, Microsoft SQL Server 2005 SP1 or later, or database software compatible with Microsoft SQL

After installing Microsoft SQL Server 2005, a system restart is required before attempting to install WSUS

provides the links to download the software prerequisites for a WSUS 3.0

Download Link

Redistributable Package (x86) http://go.microsoft.com/fwlink/?LinkId=68935

Microsoft .NET Framework Version 2.0 Redistributable Package (x64) http://go.microsoft.com/fwlink/?LinkId=70637

Microsoft Management Console 3.0 for Windows Server 2003 (x86) http://go.microsoft.com/fwlink/?LinkId=70412


Microsoft Report Viewer Redistributable 2005 http://go.microsoft.com/fwlink/?LinkId=70410

Microsoft Internet Information Services 6.0

WSUS 3.0 requires IIS 6.0 to be installed on the server that will host . By default, WSUS 3.0 server uses the default Web site in IIS. However,

setup provides the option to create a new Web site on a custom port.

is already installed and the IIS service (W3SVC) has been stopped, WSUS f the default Web site is not running, it will also be started.

on Windows Server 2003:

Control Panel, and then double-click Add or Remove Programs

Add/Remove Windows Components.

list, select Application Server.

sure ASP.NET is selected.

and then follow the instructions on the screen.

IIS writes logging information to the %windir%\System32\Logfiles\W3SVC1 directory. The log information about client connections to the WSUS 3.0 server. However, by default

these files are not deleted and can become quite large. Perform a periodic manual deletion or archiv, use the Internet Services Manager console to change the location of the log

files to a drive with sufficient space.


Page 24

3.0 server. WSUS 3.0 The following list details the

or database software

a system restart is required before attempting to install WSUS

3.0 server.






6.0

to be installed on the server that will host uses the default Web site in IIS. However, the

setup provides the option to create a new Web site on a custom port.

is already installed and the IIS service (W3SVC) has been stopped, WSUS 3.0 server it will also be started.

Add or Remove Programs.

W3SVC1 directory. The log information about client connections to the WSUS 3.0 server. However, by default

erform a periodic manual deletion or archiving of console to change the location of the log







6.1.3.1 Installing WSUS

With a default installation of WSUS 3.0, the IIS 6.0However, it is also possible to insto a custom Web site, port 8530 is used. This port is not configurablemalicious programs target port 80, running the WSUS Web site on a custom port provides the ability to temporarily shut down port 80 in the event of a security incidentdistribute software updates. When installing WSUS 3.0 to a custom Web siteis still installed to the default Web site running on pmust be maintained. For more information on the

Recommendation

Use a custom Web site for WSUS on servers that already run a Web site on port 80.

6.1.4 Migrating from WSUS 2.0 to WSUS 3.0

The WSUS 3.0 installation program will migrate all WSUS 2.0 settings to WSUS 3.0. Furthermore, if the installation program finds any SQL Server databasit will back up the existing database, install Windows Internal Database, and migrate the database to it.

If an existing WSUS 2.0 server hierarchy existsa top-down hierarchical order. In other words, migrated to WSUS 3.0 after its 3.0. The migration should always begin with thmigrated to WSUS 3.0 first.

Before migrating from WSUS 2.0 to WSUS 3.0 perform the following tasks

� Ensure that the WSUS 2.0 installation is in good working order before upgrading

� Check for recent errors in the event logs, problems with synchronization between ‘downstream’ WSUS 2.0 clients not reporting. En

� Run DBCC CHECKDB to ensure that the WSUS

� Back up the WSUS 2.0

� Re-index the WSUS 3.0 re-indexing the database, see the {R1}

6.1.5 Licensing

WSUS 3.0 is a free product and as suchensure that all Microsoft products trequirement detailed in the EULA at installation time. Each client that connects to WSUS be properly licensed. In addition, each client Access Licence (CAL) for connecting to the WSUS when WSUS 3.0 using Windows Internal DatabaseEdition server. In this configuration, a Windows or Core CAL is noconnects to the server.

When using Windows Internal Databaserequired. If Microsoft SQL Server 2005 needs to be properly licensed with managed by WSUS 3.0, or a per


Installing WSUS 3.0 to a Custom Web Site

With a default installation of WSUS 3.0, the IIS 6.0 default Web site running on port 80 is used. However, it is also possible to install WSUS 3.0 to a custom Web site. When WSUS 3.0 is installed to a custom Web site, port 8530 is used. This port is not configurable during installationmalicious programs target port 80, running the WSUS Web site on a custom port provides the ility to temporarily shut down port 80 in the event of a security incident, whilst still being able to

distribute software updates. When installing WSUS 3.0 to a custom Web site, the is still installed to the default Web site running on port 80, therefore a Web site running on port 80

. For more information on the ‘SelfUpdate’ tree, see section

Web site for WSUS on servers that already run a Web site on port 80.

from WSUS 2.0 to WSUS 3.0

The WSUS 3.0 installation program will migrate all WSUS 2.0 settings to WSUS 3.0. Furthermore, if the installation program finds any SQL Server database other than SQL Serverit will back up the existing database, install Windows Internal Database, and migrate the database

If an existing WSUS 2.0 server hierarchy exists, then the WSUS 2.0 servers need. In other words, a ‘downstream’ WSUS 2.0 server should only be

migrated to WSUS 3.0 after its ‘upstream’ WSUS 2.0 server has already been migrated to WSUS 3.0. The migration should always begin with the highest ‘upstream’ WSUS 2.0 server

Before migrating from WSUS 2.0 to WSUS 3.0 perform the following tasks:

WSUS 2.0 installation is in good working order before upgrading

heck for recent errors in the event logs, problems with synchronization between WSUS 2.0 servers and ‘upstream’ WSUS 2.0 servers, or problems with

Ensure that these issues have been resolved before continuing

ECKDB to ensure that the WSUS 2.0 database is correctly indexed

2.0 database

US 3.0 database after the upgrade. For more information about indexing the database, see the Windows Server Update Services 3.0 Operations Guide

is a free product and as such, does not require a licence. However, it is necessary to ensure that all Microsoft products that will be updated by WSUS 3.0 are properly licensed. This is a requirement detailed in the EULA at installation time. Each client that connects to WSUS

. In addition, each client is also required to have a Windows or Core CAccess Licence (CAL) for connecting to the WSUS 3.0 server. The only exception to this rule is

Windows Internal Database, is installed on a Windows Server 2003 Web Edition server. In this configuration, a Windows or Core CAL is not required for every client that

Windows Internal Database for the WSUS 3.0 server database softwarerequired. If Microsoft SQL Server 2005 is used for the WSUS 3.0 server database

to be properly licensed with either a Microsoft SQL Server 2005 CAL for every device , or a per-processor licence.


Page 25

default Web site running on port 80 is used. tall WSUS 3.0 to a custom Web site. When WSUS 3.0 is installed

during installation. As many malicious programs target port 80, running the WSUS Web site on a custom port provides the

whilst still being able to the ‘SelfUpdate’ tree

a Web site running on port 80, tree, see section 6.3.2.

Web site for WSUS on servers that already run a Web site on port 80.

The WSUS 3.0 installation program will migrate all WSUS 2.0 settings to WSUS 3.0. Furthermore, Server 2005 SP1 or later,

it will back up the existing database, install Windows Internal Database, and migrate the database

the WSUS 2.0 servers need to be migrated in WSUS 2.0 server should only be

has already been migrated to WSUS .0 server being

WSUS 2.0 installation is in good working order before upgrading

heck for recent errors in the event logs, problems with synchronization between servers, or problems with

sure that these issues have been resolved before continuing

database is correctly indexed

upgrade. For more information about 3.0 Operations Guide

does not require a licence. However, it is necessary to are properly licensed. This is a

requirement detailed in the EULA at installation time. Each client that connects to WSUS 3.0 should is also required to have a Windows or Core Client

server. The only exception to this rule is is installed on a Windows Server 2003 Web

t required for every client that

database software, no licence is database software, it

a Microsoft SQL Server 2005 CAL for every device


6.1.6 Installing WSUS 3.0

This section provides the procedures for installing WSUS using a local database. For instructions on installing WSUSscenario, refer to APPENDIX B

Note

The latest version of the WSUS setup executable is available at http://go.microsoft.com/fwlink/?LinkId=74472

During the installation of a WSUS decided on in section 4 of this document can be defined. These are:

� Storage Options (and storage location when storing updates locally)

� Database Software (and databasedatabase instance name when using Microsoft SQL Server 2005)

� Deployment Type and Management Style

Additionally, during WSUS 3.0 server create a custom IIS 6.0 Web s

To install WSUS 3.0 server:

1. Check that the prerequisite software listed in section

2. Double-click the installer file (Welcome page of the


Installing WSUS 3.0

This section provides the procedures for installing WSUS 3.0 server on Windows Server 2003 cal database. For instructions on installing WSUS 3.0 server in a remote SQL

APPENDIX B.

SUS setup executable is available at http://go.microsoft.com/fwlink/?LinkId=74472.

WSUS 3.0 server, a number of the configuration choices that were of this document can be defined. These are:

Storage Options (and storage location when storing updates locally)

Database Software (and database location when using Windows Internal Databasedatabase instance name when using Microsoft SQL Server 2005)

Deployment Type and Management Style

3.0 server setup, the choice to use an existing IIS 6.0 site is provided.

Check that the prerequisite software listed in section 6.1.2.5 is installed.

click the installer file (WSUSSetup-x86.exe or WSUSSetup-x64.exeof the Windows Server Update Services 3.0 Setup Wizard


Page 26

on Windows Server 2003 emote SQL Server

a number of the configuration choices that were

indows Internal Database or the

6.0 Web site or to

is installed.

x64.exe). The Windows Server Update Services 3.0 Setup Wizard displays:



3. Click Next. The Installation Mode Selection

4. Select Full server installation

5. On the License Agreement I accept the terms of the


Installation Mode Selection page displays:

Full server installation including Administration Console, and click

License Agreement page, read the terms of the licence agreementI accept the terms of the License agreement.


Page 27

, and click Next.

ead the terms of the licence agreement and select


6. Click Next. The Select Update Source

7. Complete the required

� When using local storage, epartition – C:\)

� When using remote clients to download approved updates directly from the

Note

For more information on


Select Update Source page displays:

required information:

When using local storage, enter a location to store downloaded updates

emote storage, clear the Store updates locally check boxdownload approved updates directly from the Microsoft Update servers

For more information on storage options, see section 4.3.


Page 28

nter a location to store downloaded updates (not the system

check box. This enables Microsoft Update servers


8. Click Next. The Database Options

9. Select the database software is to install Windows Internal Database.

� To accept the default option, computer and enter the

� To use other database software, such as Microsoft SQL Server 2005, selectother two option buttons

� If Use an existing database server on this computerinstance name from the drop

� If Using an existing database server on a remote computer (MachinenameMachinename

Note

For more information of WSUS 3.0 database options


Database Options page displays:

software that will be used for the WSUS 3.0 serveris to install Windows Internal Database.

To accept the default option, select Install Windows Internal Database on this enter the required file path (not the system partition

To use other database software, such as Microsoft SQL Server 2005, selectbuttons:

Use an existing database server on this computer is selectede name from the drop-down list

existing database server on a remote computer (Machinename\Instancename) is selected, enter the required Machinename\Instancename

For more information of WSUS 3.0 database options, see section 4.2.


Page 29

3.0 server. The default option

Install Windows Internal Database on this em partition – C:\)

To use other database software, such as Microsoft SQL Server 2005, select one of the

is selected, choose the

existing database server on a remote computer is selected, enter the required


10. Click Next. The Web Site Selection

11. .Select the Web site that will be used for the WSUS 3.0 server.

� To use the default (recommended); this

� To use a custom Web siteServices 3.0 Web site

Note

The URL at the bottom of the and the port details for

For more information on configuring IIS 6.0


Web Site Selection page displays:

eb site that will be used for the WSUS 3.0 server.

default option, select Use the existing IIS Default Web site ; this listens on port 80

To use a custom Web site on port 8530, select Create a Windows Server Update Web site

The URL at the bottom of the page indicates where to point clients to, as well asport details for connecting with the WSUS 3.0 console.

For more information on configuring IIS 6.0, see section 6.1.3.


Page 30

existing IIS Default Web site

Create a Windows Server Update

as well as the server name


12. Click Next. The Ready to Install Microsoft Windisplays:

13. Review the installation choices, and then click will state whether or not the WSUS 3.0 installation completed successfully.

14. Click Finish to launch

6.1.7 WSUS 3.0 Configuration Wizard

When the WSUS 3.0 server installation completes, the Configuration Wizard launchdecisions made during the Plan phase to be setoptions can also be configured via the WSUS 3.0 console, so there is no requirement to use the wizard. Configuring these options via the WSUS 3.0 console is documented in the Update Services 3.0 Operations

This section provides guidance on

The Configuration Wizard launcheserver, but can also be launched at a later stage from the WSUS 3.0 console.


Ready to Install Microsoft Windows Server Update Services

Review the installation choices, and then click Next. The final page of the installation wizard whether or not the WSUS 3.0 installation completed successfully.

to launch the configuration wizard.

WSUS 3.0 Configuration Wizard

When the WSUS 3.0 server installation completes, the Windows Server Update Services launches automatically. The Configuration Wizard allows all of the design

Plan phase to be set up on the newly installed WSUS 3.0 server. options can also be configured via the WSUS 3.0 console, so there is no requirement to use the wizard. Configuring these options via the WSUS 3.0 console is documented in the Update Services 3.0 Operations Guide {R1}.

This section provides guidance on the options available on each page of the Configuration

izard launches automatically after the successful installation of a WSUS 3.0 can also be launched at a later stage from the WSUS 3.0 console.


Page 31

dows Server Update Services 3.0 page

of the installation wizard whether or not the WSUS 3.0 installation completed successfully.

Windows Server Update Services izard allows all of the design

on the newly installed WSUS 3.0 server. These options can also be configured via the WSUS 3.0 console, so there is no requirement to use the wizard. Configuring these options via the WSUS 3.0 console is documented in the Windows Server

onfiguration Wizard.

automatically after the successful installation of a WSUS 3.0


To configure a WSUS 3.0 server using the configuration wizard

1. When the Windows Server UYou Begin page displays:


configure a WSUS 3.0 server using the configuration wizard:

Windows Server Update Services Configuration Wizard launches, tdisplays:


Page 32

launches, the Before


2. Click Next. The Join the Microsoft Update Improvement Program

3. Clear the Yes, I would like to join the Microsoft Update Improvement Programbox.


Join the Microsoft Update Improvement Program page

Yes, I would like to join the Microsoft Update Improvement Program


Page 33

page displays:

Yes, I would like to join the Microsoft Update Improvement Program check


4. Click Next. The Choose Upstream Server

5. Depending on the design decisions made previously, select buttons:

� Synchronize from Microsoft Update

� Synchronize from another Windows Server Update Services server from an upstream

� Enter the Server name the associated

� If SSL encryption is enabled on the upstream when synchronizing update informationreplica mode, select the


Choose Upstream Server page displays:

Depending on the design decisions made previously, select one of the following two option

Synchronize from Microsoft Update to synchronise from Microsoft Update only

Synchronize from another Windows Server Update Services server WSUS 3.0 server

Server name and the Port number of the upstream WSUS 3.0 serverassociated fields

If SSL encryption is enabled on the upstream WSUS 3.0 server, select the when synchronizing update information check box. If this server is to run in

select the This is a replica of the upstream server


Page 34

one of the following two option

to synchronise from Microsoft Update only

Synchronize from another Windows Server Update Services server to synchronise

of the upstream WSUS 3.0 server, in

WSUS 3.0 server, select the Use SSL check box. If this server is to run in

This is a replica of the upstream server check box


6. Click Next. The Specify Proxy Server

7. If the server requires a Update, perform the following:

a. Select Use a proxy server when synchronizing

b. Enter the Proxy server nameassociated fields.

c. If authentication is credentials to connect to the proxy server

i. Enter the User name

ii. If basic authentication is required, select the (password is sent in cleartext)


Specify Proxy Server page displays:

a proxy server to access the upstream WSUS 3.0 server or Microsoft Update, perform the following:

Use a proxy server when synchronizing check box.

erver name and the Port number of the proxy server in the

required to connect to the proxy server, select the credentials to connect to the proxy server check box.

User name, Domain and Password of a suitable user account

If basic authentication is required, select the Allow basic authentication (password is sent in cleartext) check box.


Page 35

access the upstream WSUS 3.0 server or Microsoft

of the proxy server in the

the Use user

of a suitable user account.

llow basic authentication


8. Click Next. The Connect to Upstream Server

9. Click Start ConnectingWSUS 3.0 server or with download a current list of the available products, classifications and languages

Note

The Next button will remain unavailable until the download completes.


Connect to Upstream Server page displays:

Start Connecting. The WSUS 3.0 server begins communicating with its upstream with Microsoft Update based on option selected in step

a current list of the available products, classifications and languages

button will remain unavailable until the download completes.


Page 36

with its upstream in step 5. It will

a current list of the available products, classifications and languages.


10. Click Next. The Choose Languages

11. Select the Download updates only in these languagesappropriate languages


Choose Languages page displays:

Download updates only in these languages option button appropriate languages.


Page 37

and select the


12. Click Next. The Choose Products

13. Only select the check boxes for the to the healthcare organisationwill be selected automatically, 3.0 server. Select only those Windows versions whichorganisation’s environment.

Note

If the WSUS 3.0 server Security, ensure that the check box for


Choose Products page displays:

the check boxes for the required products or product familieshealthcare organisation. If Windows is selected, all products in the family beneath it

automatically, and this will increase the storage requirements on the WSUS 3.0 server. Select only those Windows versions which are used in the healthcare

’s environment.

If the WSUS 3.0 server is to be used as the Distribution Server component of Forefront Client Security, ensure that the check box for Forefront Client Security is selected.


Page 38

or product families that are relevant . If Windows is selected, all products in the family beneath it

storage requirements on the WSUS healthcare

used as the Distribution Server component of Forefront Client is selected.


14. Click Next. The Choose

15. Ensure the Critical Updates

Note

If the WSUS 3.0 server Security, ensure that the check box for


Choose Classifications page displays:

Critical Updates and Security Updates check boxes are selected.

If the WSUS 3.0 server is to be used as the Distribution Server component of Forefront Client Security, ensure that the check box for Definition Updates is also selected.


Page 39

are selected.

be used as the Distribution Server component of Forefront Client selected.


16. Click Next. The Set Sync Schedule

17. Select the Synchronise automatically

a. Enter the time of the first synchronisation

b. Enter the number of synchronisations in the

Recommendation

The Microsoft Security Research Centre (MSRC) releases new security updates and their accompanying bulletins on the second Tuesday of every month at 10 AM Pacific Time. If only 1 synchronisation per day is seleGreenwich Mean Time to ensure that new security updates are received promptly.


Set Sync Schedule page displays:

Synchronise automatically option button:

of the first synchronisation in the First Synchronization

number of synchronisations in the Synchronizations per day

The Microsoft Security Research Centre (MSRC) releases new security updates and their accompanying bulletins on the second Tuesday of every month at 10 AM Pacific Time. If only 1 synchronisation per day is selected, then it should be set to occur in the evening after 6 PM Greenwich Mean Time to ensure that new security updates are received promptly.


Page 40

First Synchronization field

ronizations per day field

The Microsoft Security Research Centre (MSRC) releases new security updates and their accompanying bulletins on the second Tuesday of every month at 10 AM Pacific Time. If only 1

cted, then it should be set to occur in the evening after 6 PM Greenwich Mean Time to ensure that new security updates are received promptly.


18. Click Next. The Finished

19. By default, the Launch the Windows Server Updates Services Administratioand the Begin initial synchronization


Finished page displays:

Launch the Windows Server Updates Services AdministratioBegin initial synchronization check boxes are selected.


Page 41

Launch the Windows Server Updates Services Administration Console


20. Click Next. The What’s Next

21. This page contains hyperlinks to additional configuration options for the WSUS 3.0 server. Guidance on all of these options is available Operations Guide {R1

22. Click Finish to close the configuration wizard.


What’s Next page displays:

contains hyperlinks to additional configuration options for the WSUS 3.0 server. Guidance on all of these options is available in the Windows Server Update Services 3.0

}.

the configuration wizard.


Page 42

contains hyperlinks to additional configuration options for the WSUS 3.0 server. Windows Server Update Services 3.0


6.2 Installing the WSUS 3.0 ConsoleAfter installing WSUS 3.0 on a server, the WSUS 3.0 server can be managed from any computer on the network, as long as the domain of that computer has a trust relationship with the domain of the WSUS 3.0 server. The WSUS 3.0 console is supported on the following operating systems:

� Windows Vista

� Windows XP Professional

� Windows Server 2003


There are a number of software requirements for the installation of the WSUS 3.0 console.provides links to download the sorequirements depending on the host operating system

� Windows Vista


� Windows XP Professional SP2




� Windows Server 2003 SP1 or later




Table 5 provides the links to download the software prerequisites for

Software





Microsoft Management Console 3.0 for Windows


Table 5: Console Software Download Links

6.2.2 Installing the C

To install the WSUS 3.0 consolethe WSUS 3.0 server.

Note

The latest version of the WSUS setup executable is available at http://go.microsoft.com/fwlink/?LinkId=74472


Installing the WSUS 3.0 Console After installing WSUS 3.0 on a server, the WSUS 3.0 server can be managed from any computer

s long as the domain of that computer has a trust relationship with the domain of the WSUS 3.0 server. The WSUS 3.0 console is supported on the following operating systems:

Windows XP Professional SP2

Windows Server 2003 SP1 or later

tion Prerequisites

There are a number of software requirements for the installation of the WSUS 3.0 console.provides links to download the software listed in this section. The following list details the software

depending on the host operating system:


Windows XP Professional SP2


Management Console 3.0


Windows Server 2003 SP1 or later


Microsoft Management Console 3.0


provides the links to download the software prerequisites for the WSUS 3.0

Download Link




Windows Server 2003 (x64) http://go.microsoft.com/fwlink/?LinkId=70638

Microsoft Management Console 3.0 for Windows XP SP2 (x86) http://go.microsoft.com/fwlink/?LinkId=86951

Microsoft Report Viewer Redistributable 2005 http://go.microsoft.com/fwlink/?LinkId=70410

Console

console, use the same installation package that was downloaded to install

The latest version of the WSUS setup executable is available at http://go.microsoft.com/fwlink/?LinkId=74472.


Page 43

After installing WSUS 3.0 on a server, the WSUS 3.0 server can be managed from any computer s long as the domain of that computer has a trust relationship with the domain of

the WSUS 3.0 server. The WSUS 3.0 console is supported on the following operating systems:

There are a number of software requirements for the installation of the WSUS 3.0 console. Table 5 ftware listed in this section. The following list details the software

WSUS 3.0 console.





go.microsoft.com/fwlink/?LinkId=86951


downloaded to install









To install the WSUS 3.0 console only from the UI

1. Double-click the installer file (WSUSSetupWelcome page of the

2. Click Next. The Installation Mode Selection

3. Select Administration Console


To install the WSUS 3.0 console only from the UI:

click the installer file (WSUSSetup-x86.exe or WSUSSetup-x64.exe).of the Windows Server Update Services 3.0 Setup Wizard

Installation Mode Selection page displays:

Administration Console only, and click Next.


Page 44

x64.exe). The ws Server Update Services 3.0 Setup Wizard displays:


4. On the License Agreement I accept the terms of the License Agreement

5. Click Next. The final pageconsole installation completed successfully.

6. Click Finish to complete the installation


License Agreement page, read the terms of the licence agreementaccept the terms of the License Agreement.

page of the installation wizard will state whether or not the WSUS 3.0 installation completed successfully.

to complete the installation.


Page 45

e agreement and select

whether or not the WSUS 3.0


To install the WSUS 3.0 cons

1. Open a command window.

2. Change the directory to the location executable will be either WSUSSetup

3. Type one of the following commands: WSUS3Setupx86.exe CONSOLE_INSTALL=1

or

WSUS3Setupx64.exe CONSOLE_INSTALL=1

4. This will bring up the Welcome

5. Read the terms of the licencAgreement, and then cli

6. Wait for the installation process to finish, and then click

6.2.3 Accessing the WSUS

Membership of the local Administrators on the computer on which WSUS WSUS 3.0 console. Members of the WSUS Reporters security group have readconsole.

To open the WSUS administration console

1. Click Start, point to Control PanelMicrosoft Windows Server Update Services 3.0

2. When accessing the remote console for the first time, only of the console will be seen

3. To connect to a WSUS

4. In the Connect to Serverwhich it should connect.

5. If using Secure Sockets Layer (Secure Sockets Layer (SSL) to connect to this serv

6. Click Connect to connect to the WSUS server.

Note

Connections to multiple WSUS 3.0 servers can be madethe WSUS 3.0 servers within


To install the WSUS 3.0 console only from the command line:

Open a command window.

to the location in which the installation executablebe either WSUSSetup-x86.exe or WSUSSetup-x64.exe.

Type one of the following commands: Setupx86.exe CONSOLE_INSTALL=1

Setupx64.exe CONSOLE_INSTALL=1

Welcome page of the installation UI. Click Next.

Read the terms of the licence agreement carefully. Click I accept the terms of the License , and then click Next.

Wait for the installation process to finish, and then click Finish.

the WSUS 3.0 Console

of the local Administrators security group or the WSUS Administrators security group on the computer on which WSUS 3.0 is installed is required in order to use all the features of the

console. Members of the WSUS Reporters security group have read

To open the WSUS administration console:

Control Panel, point to Administrative Tools, and then click Microsoft Windows Server Update Services 3.0.

the remote console for the first time, only Update Serviceswill be seen.

To connect to a WSUS 3.0 server, in the Actions pane, click Connect to S

o Server dialog box, type the name of the WSUS server and the port connect.

Secure Sockets Layer (SSL) to communicate with the WSUS server, select the Secure Sockets Layer (SSL) to connect to this server check box.

to connect to the WSUS server.

Connections to multiple WSUS 3.0 servers can be made through the WSUS 3.0 console.the WSUS 3.0 servers within a healthcare organisation to be managed from a single WSUS 3.0 co


Page 46

in which the installation executable was saved. The x64.exe.

I accept the terms of the License

group or the WSUS Administrators security group in order to use all the features of the

console. Members of the WSUS Reporters security group have read-only access to the

, and then click

Update Services in the left pane

Connect to Server.

dialog box, type the name of the WSUS server and the port to

to communicate with the WSUS server, select the Use

console. This allows all to be managed from a single WSUS 3.0 console.


6.3 Installing the WSUS This section details the installation precomponents are updated during the first communication with the WSUS 3.0 server.


The WSUS 3.0 client softwareAutomatic Updates. The WSUS desktop computer that runs any of the following operating systems:

� Windows Vista

� Windows XP Professional

� Windows 2000 Professional

6.3.2 Updating Automatic Updates

There are a number of different versions of Automatic Updates. To update clients using WSUSit is necessary to have the correct version of the Automatic Updates client compoThis is a version of Automatic Updates that is compatible with WSUS Windows Update Agent (WUA). On all Updates is already installed. This software version, WUA, when the client first connects to a WSUS

In order to successfully update to the latest version of Automatic Updatesmust be available in IIS. This is a virtual directoryWeb site on port 80 on WSUS download the latest version of the

To update the Automatic Updates client software to the WSUS necessary to configure the client to connect to the WSUS configure the clients to connect to the server using Group Policy settWindows Server Update Services with the WSUS 3.0 server, it will downlo


Installing the WSUS 3.0 Client ails the installation prerequisites for the WSUS 3.0 client and how the client

components are updated during the first communication with the WSUS 3.0 server.

Installation Prerequisites

client software is Automatic Updates. There are no hardware requirements for Automatic Updates. The WSUS 3.0 compatible version of Automatic Updates can be used on any

computer that runs any of the following operating systems:

XP Professional SP2

Windows 2000 Professional SP4

Updating Automatic Updates

There are a number of different versions of Automatic Updates. To update clients using WSUSit is necessary to have the correct version of the Automatic Updates client compoThis is a version of Automatic Updates that is compatible with WSUS 3.0, and is known as the Windows Update Agent (WUA). On all supported operating systems, a version of Automatic

. This software is able to self-update to the WSUS 3.0 when the client first connects to a WSUS 3.0 server.

In order to successfully update to the latest version of Automatic Updates, the ‘must be available in IIS. This is a virtual directory that is created upon setup and Web site on port 80 on WSUS 3.0 servers. Clients connect to the ‘SelfUpdate’ download the latest version of the WSUS-compatible Automatic Updates software.

To update the Automatic Updates client software to the WSUS 3.0 compatible versionnecessary to configure the client to connect to the WSUS 3.0 server. For instructions on how to configure the clients to connect to the server using Group Policy settings or registry keys, see the Windows Server Update Services 3.0 Operations Guide {R1}. When the client first

it will download the latest Automatic Updates software.


Page 47

requisites for the WSUS 3.0 client and how the client components are updated during the first communication with the WSUS 3.0 server.

. There are no hardware requirements for compatible version of Automatic Updates can be used on any

There are a number of different versions of Automatic Updates. To update clients using WSUS 3.0, it is necessary to have the correct version of the Automatic Updates client components installed.

and is known as the a version of Automatic

3.0 compatible

‘SelfUpdate’ tree and that runs under a virtual directory to

Automatic Updates software.

compatible version, it is server. For instructions on how to

ings or registry keys, see the . When the client first communicates

ad the latest Automatic Updates software.


APPENDIX A The table in PART I of this appendix, lists the suggested training and skill assessment resources available. This list is not exhaustive; there are many thirdresources listed are those provided by Microsoft. The table in additional training resources that might be useful.

PART I WSUS 3.0 For further information on WSUS 3.0, see

Skill or Technology Area

Microsoft Windows Server Update Services 3.0 Overview

Step-by-Step Guide to Getting Started with Microsoft Windows Server Update Services 3.0

Deploying Microsoft Windows Server Update Services 3.0

Microsoft Windows Server Update Services 3.0 Operations Guide

Table 6: Windows Server Update Services 3.0

PART II Supplemental Training Resources

Title

Microsoft SQL Server TechCenter

Microsoft Windows Server TechCenter: Network Load Balancing (NLB) Clusters

Microsoft Windows Server TechCenter: Distributed File System (DFS)

Table 7: Supplemental Training Resources


SKILLS AND TRAINING RESOURCES

of this appendix, lists the suggested training and skill assessment resources available. This list is not exhaustive; there are many third-party providers of such skills. The resources listed are those provided by Microsoft. The table in PART II of this appendix lists additional training resources that might be useful.

For further information on WSUS 3.0, see http://www.microsoft.com/wsus

Resource Location Description

http://go.microsoft.com/fwlink/?LinkId=71191 This overview introduces WSUS 3.0 and provides information about features, and server and client computer requirements

http://go.microsoft.com/fwlink/?LinkId=71190 This guide provides basic instructions for getting started with WSUS 3.0

http://go.microsoft.com/fwlink/?LinkId=86416 This document describes how to deploy, install and configure WSUS 3.0

http://go.microsoft.com/fwlink/?LinkId=86697 This document describes how to administer and troubleshoot WSUS 3.0

Update Services 3.0

Supplemental Training Resources

Link

http://technet.microsoft.com/en-us/sqlserver/default.aspx

TechCenter: Network Load http://go.microsoft.com/fwlink/?LinkId=76491

Microsoft Windows Server TechCenter: Distributed File http://technet2.microsoft.com/windowsserver/en/library/370f16f945dc-8cf2-d9e2bfeada881033.mspx


Page 48

ESOURCES

of this appendix, lists the suggested training and skill assessment resources party providers of such skills. The

of this appendix lists

This overview introduces WSUS 3.0 and provides information about features, and server and client computer requirements

This guide provides basic instructions for getting started with WSUS 3.0

This document describes how to deploy, install and configure WSUS 3.0

This document describes how to administer and troubleshoot WSUS 3.0

us/sqlserver/default.aspx

http://technet2.microsoft.com/windowsserver/en/library/370f16f9-dd08-

http://www.microsoft.com/wsus

http://technet2.microsoft.com/WindowsServer/logredir.aspx?MODE=CT&CTT=ToExternal&target=http%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D71191&referrer=http%3A%2F%2Ftechnet2.microsoft.com%2Fwindowsserver%2Fen%2Flibrary%2F632f98ac-9d45-480b-b801-996b714cebd01033.mspx&reldir=en%2Flibrary




http://technet.microsoft.com/en-us/sqlserver/default.aspx


http://technet2.microsoft.com/windowsserver/en/library/370f16f9-dd08-45dc-8cf2-d9e2bfeada881033.mspx

http://technet2.microsoft.com/windowsserver/en/library/370f16f9-dd08-45dc-8cf2-d9e2bfeada881033.mspx


APPENDIX B WSUS 3.0 offers limited support for running database software on a server that is separate from the server where the rest of WSUS 3.0 is installed. This section offers stephow to install WSUS 3.0 in this configuration.

To set up WSUS 3.0 for remote SQL:

1. Install and configure Microsoft SQL Server 2005 on the back

2. Check that the administrator who is going to install WSUS 3.0 also has permissions on SQL Server.

3. Install WSUS 3.0 on the frontback-end computer.

Note

For a remote SQL installation of WSUS 3.0, install WSUS 3.0 server on the frontno need to install any WSUS 3.0 server components on the back

The following prerequisites exist when using a remote SQL configuration:

� A server configured as a domain controller cannot be used for the back end of the remote SQL pair

� Terminal Server must not be running on the computer that will be the frontremote SQL installation

� Microsoft SQL Server 2005 SP1 or later must be used for the database software on the back-end computer

� Both the front-end and the backdomain, otherwise, if they are in different domains, a crossestablished between the domains before running the WSUS 3.0 setup

� If WSUS 2.0 is already installed in a remote SQL configuration and it needs to be upgraded to WSUS 3.0, uninstall WSUS 2.0 (using the back-end server while ensuring that the existing database remains intact. Then install SQL Server 2005 SP1 or later and upgrade the existing database. Finally, install WSUS 3.0 on the front-end computer

PART I Install SQL Server 2005 SP1 or Later on the Server

Install a SQL Server 2005 database on the backnamed instance or the default instance for the WSUS 3.0 database can be used.

If it is planned to run the SQL Server service remotely under a domainame (SPN) for this server will need to be registered. For more information about adding an SPN, see the Knowledge Base (KB) article when you create a remote connect

Note

Running the SQL Server service under a local non

6 How to make sure that you are using Kerberos authentication when you create a remoServer 2005 {R6}: http://go.microsoft.com/fwlink/?LinkId=85942


REMOTE SQL

WSUS 3.0 offers limited support for running database software on a server that is separate from the server where the rest of WSUS 3.0 is installed. This section offers step-by-step instructions for how to install WSUS 3.0 in this configuration.

up WSUS 3.0 for remote SQL:

Install and configure Microsoft SQL Server 2005 on the back-end server.

Check that the administrator who is going to install WSUS 3.0 also has permissions on SQL

Install WSUS 3.0 on the front-end computer, and configure it to use the database on the

For a remote SQL installation of WSUS 3.0, install WSUS 3.0 server on the front-end server only. There is no need to install any WSUS 3.0 server components on the back-end server.

sites exist when using a remote SQL configuration:

A server configured as a domain controller cannot be used for the back end of the remote

Terminal Server must not be running on the computer that will be the frontllation

Microsoft SQL Server 2005 SP1 or later must be used for the database software on the

end and the back-end computers must be joined to an Active Directory domain, otherwise, if they are in different domains, a cross-domain trust must be established between the domains before running the WSUS 3.0 setup

If WSUS 2.0 is already installed in a remote SQL configuration and it needs to be upgraded to WSUS 3.0, uninstall WSUS 2.0 (using Add or Remove Programs in Control Panel

while ensuring that the existing database remains intact. Then install SQL Server 2005 SP1 or later and upgrade the existing database. Finally, install WSUS 3.0

end computer

Install SQL Server 2005 SP1 or Later on the

Install a SQL Server 2005 database on the back-end computer and enable remote connections. A named instance or the default instance for the WSUS 3.0 database can be used.

If it is planned to run the SQL Server service remotely under a domain account, a service principal name (SPN) for this server will need to be registered. For more information about adding an SPN, see the Knowledge Base (KB) article How to make sure that you are using Kerberos authentication when you create a remote connection to an instance of SQL Server 20056.

Running the SQL Server service under a local non-system account is not supported.

How to make sure that you are using Kerberos authentication when you create a remote connection to an instance of SQL http://go.microsoft.com/fwlink/?LinkId=85942


Page 49

WSUS 3.0 offers limited support for running database software on a server that is separate from step instructions for

end server.

Check that the administrator who is going to install WSUS 3.0 also has permissions on SQL

it to use the database on the

end server only. There is

A server configured as a domain controller cannot be used for the back end of the remote

Terminal Server must not be running on the computer that will be the front-end server of a

Microsoft SQL Server 2005 SP1 or later must be used for the database software on the

end computers must be joined to an Active Directory domain trust must be

If WSUS 2.0 is already installed in a remote SQL configuration and it needs to be upgraded in Control Panel) on

while ensuring that the existing database remains intact. Then install SQL Server 2005 SP1 or later and upgrade the existing database. Finally, install WSUS 3.0

Install SQL Server 2005 SP1 or Later on the Back-End

end computer and enable remote connections. A named instance or the default instance for the WSUS 3.0 database can be used.

n account, a service principal name (SPN) for this server will need to be registered. For more information about adding an SPN,

How to make sure that you are using Kerberos authentication

system account is not supported.

te connection to an instance of SQL



PART II Check Administrative Permissions on the SQL ServerEnsure that the person who is going to install WSUS 3.0 on the frontadministrative permissions on SQL Server.

To ensure administrative permissions on SQL Server:

1. Start SQL Server Management Studio

2. Connect to the SQL Engine on the server where SQL Server 2005 was iAPPENDIX B PART I.

3. Select the Security node, and then select accounts that have database access.

4. Check that the person who is going to install WSUS 3.0 on the froaccount in this list.

5. If the account does not exist, rightaccount.

� Set up this account for the roles needed to set up the WSUS 3.0 database. The roles are either dbcreatorAdministrators group have the

PART III Install WSUS 3.0 on the FrontInstall WSUS 3.0 on the front-WSUS 3.0 server to obtain updates. This server needs to be prepared with all the prerequisites for a normal WSUS 3.0 server installation, as detailed in section

To install the WSUS 3.0 front-Use an existing database server on a remote cin step 9.

Note

After the WSUS 3.0 installation has been completed, the SQL Server account set up in PART II can be deleted if required.


Check Administrative Permissions on the SQL ServerEnsure that the person who is going to install WSUS 3.0 on the front-end computer has administrative permissions on SQL Server.

To ensure administrative permissions on SQL Server:

SQL Server Management Studio (click Start, click Run, and then type

Connect to the SQL Engine on the server where SQL Server 2005 was i

node, and then select Logins. The right pane will show a list of the accounts that have database access.

Check that the person who is going to install WSUS 3.0 on the front-end computer has an

If the account does not exist, right-click the Logins node, select New Login

Set up this account for the roles needed to set up the WSUS 3.0 database. The roles dbcreator plus diskadmin, or sysadmin. Accounts belonging to the local

Administrators group have the sysadmin role by default

Install WSUS 3.0 on the Front-End Server-end server. This server will need access to the Internet or to another

3.0 server to obtain updates. This server needs to be prepared with all the prerequisites for a normal WSUS 3.0 server installation, as detailed in section 6.1.2.5.

-end server, follow the detailed steps in section 6.1.6Use an existing database server on a remote computer (Machinename\Instancename)

After the WSUS 3.0 installation has been completed, the SQL Server account set up in can be deleted if required.


Page 50

Check Administrative Permissions on the SQL Server computer has

, and then type sqlwb).

Connect to the SQL Engine on the server where SQL Server 2005 was installed in

. The right pane will show a list of the

end computer has an

New Login, and add the

Set up this account for the roles needed to set up the WSUS 3.0 database. The roles . Accounts belonging to the local

End Server end server. This server will need access to the Internet or to another

3.0 server to obtain updates. This server needs to be prepared with all the prerequisites for

6.1.6, and select the Instancename) option

After the WSUS 3.0 installation has been completed, the SQL Server account set up in APPENDIX B


APPENDIX C

LOAD

NLB is a strategy that can keep networks running even if one (or more) servers go offline. It can be used in conjunction with WSUS 3.0, but requires special steps at setup time.

WSUS 3.0 for NLB should be set up after configuring the SQL Server 2005 databcluster. However, WSUS 3.0 should be set up before configuring the NLB cluster.

Note

For more information about how to set up SQL Server 2005 as a failover cluster, see New SQL Server 2005 Failover Cluster (Setup)

For more information about how to set up an NLB cluster, see

None of the servers taking part in the cluster should be a domain controller.

The maximum number of front

PART I Configure Remote SQLTo configure WSUS 3.0 for remote SQL, see

The steps in APPENDIX B will create a server. Setting up the additional frontPART II below.

PART II Set Up the Other Front

To install WSUS 3.0 on an additional frontdatabase:

1. At the command prompt, change diprogram, and type: WSUS3Setupx86.exe/q FRONTEND_SETUP=1 SQLINSTANCE_NAME=serverCREATE_DATABASE=0

The Welcome page of the installation wizard displays.

2. Continue installing WSUS 3.0 server as per the

Note

If the WSUS 3.0 database was installed to the default SQL instance, then the parameter on the WSUSSetu

WSUS3Setupx86.exe/q FRONTEND_SETUP=1 SQLINSTANCE_NAME=server CREATE_DATABASE=0

7 How to: Create a New SQL Server 2005 Failover Cluster (Setup)

8 Network Load Balancing Clusters {R8


CONFIGURE WSUS 3.0 FOR

OAD BALANCING

NLB is a strategy that can keep networks running even if one (or more) servers go offline. It can be used in conjunction with WSUS 3.0, but requires special steps at setup time.

WSUS 3.0 for NLB should be set up after configuring the SQL Server 2005 databcluster. However, WSUS 3.0 should be set up before configuring the NLB cluster.

For more information about how to set up SQL Server 2005 as a failover cluster, see New SQL Server 2005 Failover Cluster (Setup)7.

For more information about how to set up an NLB cluster, see Network Load Balancing Clusters

None of the servers taking part in the cluster should be a domain controller.

The maximum number of front-end WSUS 3.0 servers per database instance is four.

figure Remote SQL To configure WSUS 3.0 for remote SQL, see APPENDIX B.

will create a back-end SQL server as well as one frontserver. Setting up the additional front-end WSUS 3.0 servers in the NLB cluster is covered in

Set Up the Other Front-End WSUS 3.0 Servers

To install WSUS 3.0 on an additional front-end server without creating the WSUS 3.0

At the command prompt, change directory to the folder containing the WSUS setup

WSUS3Setupx86.exe/q FRONTEND_SETUP=1 SQLINSTANCE_NAME=server

of the installation wizard displays.

Continue installing WSUS 3.0 server as per the steps in section 6.1.6.

If the WSUS 3.0 database was installed to the default SQL instance, then the SQLINSTANCE_NAMEparameter on the WSUSSetup.exe command line should just be the server name, that is:


to: Create a New SQL Server 2005 Failover Cluster (Setup) {R7}: http://go.microsoft.com/fwlink/?LinkId=76490

R8}: http://go.microsoft.com/fwlink/?LinkId=76491


Page 51

FOR NETWORK

NLB is a strategy that can keep networks running even if one (or more) servers go offline. It can be

WSUS 3.0 for NLB should be set up after configuring the SQL Server 2005 database as a failover cluster. However, WSUS 3.0 should be set up before configuring the NLB cluster.

For more information about how to set up SQL Server 2005 as a failover cluster, see How to: Create a

Network Load Balancing Clusters8.

end WSUS 3.0 servers per database instance is four.

end SQL server as well as one front-end WSUS 3.0 end WSUS 3.0 servers in the NLB cluster is covered in

End WSUS 3.0 Servers

end server without creating the WSUS 3.0

rectory to the folder containing the WSUS setup

WSUS3Setupx86.exe/q FRONTEND_SETUP=1 SQLINSTANCE_NAME=server\instance

SQLINSTANCE_NAME p.exe command line should just be the server name, that is:






PART III Configure the FrontAll of the front-end WSUS 3.0 servers should use a proxy server and should of the same user name and password. This can be configured in the WSUS 3.0 console.

To configure the proxy server on WSUS front

1. In the WSUS 3.0 console, select

2. Select the Proxy Server

3. Enter the proxy server name, port, user name, domain, and password, and click

4. Repeat this procedure on all the front

PART IV Set Up a Distributed File System ShareA single file location should be created that is available tEven if the local storage option is not selected for these WSUS 3.0 servers, there is still a requirement to store EULA files. One of the file storage options available is the use of a DFS share.

Note

It is not necessary to use a DFS share with an NLB cluster. A standard network share can also be used.

To set up DFS on one of the WSUS 3.0 servers in a NLB cluster:

1. Go to Start, point to All ProgramsFile System. The Distributed File System management console launches.

2. Right-click the Distributed File System shortcut menu. Once the

3. On the Root Type page

4. On the Host Server pagewith Browse, and then click

5. On the Root Name page

6. On the Root Share pageand then click Next.

7. On the last page of the wizard, review the selections and then click

8. If the Distributed File Systemmessage displays and the service should be started at this time.

9. Ensure the domain account of each of the frontpermissions on the root folder of this share. That is,locally on the computer that has the DFS share, the Network Service account should have change permissions on the root folder. In addition, the user account of the administrator who will run the movecontent command permissions. For each of the remote WSUS 3.0 servers, the domain/computer account (where domain is the name of the domain, anshould have change permissions on the root folder of the share.


Configure the Front-End WSUS 3.0 Serversend WSUS 3.0 servers should use a proxy server and should authenticate by means

of the same user name and password. This can be configured in the WSUS 3.0 console.

To configure the proxy server on WSUS front-end servers:

In the WSUS 3.0 console, select Options, then Update Source and Proxy Server

y Server tab.

Enter the proxy server name, port, user name, domain, and password, and click

Repeat this procedure on all the front-end WSUS 3.0 servers.

Set Up a Distributed File System Share A single file location should be created that is available to all of the front-end WSUS 3.0 servers. Even if the local storage option is not selected for these WSUS 3.0 servers, there is still a requirement to store EULA files. One of the file storage options available is the use of a DFS share.

ssary to use a DFS share with an NLB cluster. A standard network share can also be used.

To set up DFS on one of the WSUS 3.0 servers in a NLB cluster:

All Programs, point to Administrative Tools, and click e Distributed File System management console launches.

Distributed File System node in the left pane and click shortcut menu. Once the New Root Wizard displays, click Next.

page, select Stand-alone root as the type of root and then click

page, type the name of the host server for the DFS root or search for it , and then click Next.

page, type the name of the DFS root and then click

age, select the folder that will serve as the share, or create a new one,

of the wizard, review the selections and then click Finish

Distributed File System service has not yet been started on the server, an error message displays and the service should be started at this time.

Ensure the domain account of each of the front-end WSUS 3.0 servers has change permissions on the root folder of this share. That is, if there is a WSUS 3.0 server installed locally on the computer that has the DFS share, the Network Service account should have change permissions on the root folder. In addition, the user account of the administrator who will run the movecontent command (in PART VI), should also have change permissions. For each of the remote WSUS 3.0 servers, the domain/computer account (where domain is the name of the domain, and computer is the name of the computer) should have change permissions on the root folder of the share.


Page 52

End WSUS 3.0 Servers authenticate by means

of the same user name and password. This can be configured in the WSUS 3.0 console.

Update Source and Proxy Server.

Enter the proxy server name, port, user name, domain, and password, and click OK.

end WSUS 3.0 servers. Even if the local storage option is not selected for these WSUS 3.0 servers, there is still a requirement to store EULA files. One of the file storage options available is the use of a DFS share.

ssary to use a DFS share with an NLB cluster. A standard network share can also be used.

, and click Distributed e Distributed File System management console launches.

node in the left pane and click New Root in the

he type of root and then click Next.

, type the name of the host server for the DFS root or search for it

, type the name of the DFS root and then click Next.

, select the folder that will serve as the share, or create a new one,

Finish.

service has not yet been started on the server, an error

end WSUS 3.0 servers has change if there is a WSUS 3.0 server installed

locally on the computer that has the DFS share, the Network Service account should have change permissions on the root folder. In addition, the user account of the administrator

), should also have change permissions. For each of the remote WSUS 3.0 servers, the domain/computer account

d computer is the name of the computer)


Note

For more information about setting permissions on DFS shares, see Shares in DFS Replica Sets to Apply to All Replic

PART V Configure IIS on the FrontIn order to access the updates on the DFS share, the front6.0 configured to allow remote access.

To configure IIS for remote access on the front

1. On each of the servers, go to and click Internet Information Services (IIS) Managerlaunches.

2. Click the server node, then the site (either Default Web Site

3. Right-click the Content

4. In the Content Propertiescontent for this resource should come from:

5. Select A share located on another computer(UNC) name of the share.

6. Click Connect As, and enter the user name and password that can be used to access that share.

Follow these steps for each of the frontas the DFS share.

PART VI Move the Local Content Directory on the First FrontEnd WSUS 3.0 Server to the DFS Share

It is now possible to move the content directories on the first frontshare. This is the first WSUS 3.0 frontlocal content directory on the WSUS 3.0 frontmoved.

To move the content directories on the front

1. Open a command window.

2. Change directory to the WSUS tools directory on the WSUS server:cd Program Files\Update Services

3. Type the following command:wsusutil movecontent DFSsharename

where DFSsharename is the name of the DFS share to which the content should be moved, and logfilename is the name of the log file.

9 How To Set File Permissions for Shares in DFS Replica Sets to Apply to All Replicashttp://go.microsoft.com/fwlink/?LinkId=86550


For more information about setting permissions on DFS shares, see How To Set File Permissions for Shares in DFS Replica Sets to Apply to All Replicas9.

Configure IIS on the Front-End WSUS 3.0 ServersIn order to access the updates on the DFS share, the front-end WSUS 3.0 servers must have IIS 6.0 configured to allow remote access.

To configure IIS for remote access on the front-end WSUS 3.0 servers:

On each of the servers, go to Start, point to All Programs, point to Administrative ToolsInternet Information Services (IIS) Manager. The management console

Click the server node, then the Web Sites node, and then the node for the WSUDefault Web Site or WSUS Administration).

Content node and select Properties.

Content Properties dialog box, click the Virtual Directory tab. In the top frame, content for this resource should come from: displays.

A share located on another computer and fill in the Universal Naming Context (UNC) name of the share.

, and enter the user name and password that can be used to access that

Follow these steps for each of the front-end WSUS 3.0 servers that are not on the same machine

Move the Local Content Directory on the First FrontEnd WSUS 3.0 Server to the DFS Share

It is now possible to move the content directories on the first front-end WSUS 3.0 server to the DFshare. This is the first WSUS 3.0 front-end server that was set up in PART I of local content directory on the WSUS 3.0 front-end servers set up in PART II will not need to be

move the content directories on the front-end WSUS 3.0 servers:

Open a command window.

Change directory to the WSUS tools directory on the WSUS server: Update Services\Tools

Type the following command: wsusutil movecontent DFSsharename logfilename

is the name of the DFS share to which the content should be moved, is the name of the log file.

How To Set File Permissions for Shares in DFS Replica Sets to Apply to All Replicas {R9}: http://go.microsoft.com/fwlink/?LinkId=86550


Page 53

How To Set File Permissions for

End WSUS 3.0 Servers end WSUS 3.0 servers must have IIS

Administrative Tools, management console

node, and then the node for the WSUS 3.0 Web

tab. In the top frame, The

and fill in the Universal Naming Context

, and enter the user name and password that can be used to access that

WSUS 3.0 servers that are not on the same machine

Move the Local Content Directory on the First Front-

end WSUS 3.0 server to the DFS of APPENDIX C. The will not need to be

is the name of the DFS share to which the content should be moved,



PART VII Configure the NLB

To configure NLB:

1. Enable Network Load Balancing:

a. Click Start, click Control PanelConnection, and then click

b. Click Install. On the click Add.

c. On the Select Network ServiceOK.

d. On the Local Area Connection PropertiesBalancing check box and then click

2. On the Cluster Parametersbe shared among the frontoperation mode, select

3. On the Host Parametersof the cluster.

4. On the Port Rules tab, ensure there is a port rule specifying single affinity (the default).Affinity is the term used to define how client requests are to be directed. Single affinity means that requests from the same client will always be directed to the same cluster host.

5. Click OK, and return to the

6. Select Internet Protocol (TCP/IP)

7. In the IP Settings tab, under will be two IP addresses). This should be done on each cluster member.

8. On the DNS tab, clear the Ensure that there is no DNS entry for the IP address.

PART VIII Test the WSUS 3.0 NLB ConfigurationEnsure that at least one of the WSUS 3.0 frontIf the synchronisation is successful, continue to and NLB cluster setup.

PART IX Configure WSUS 3.0 Clients to Sync from the DFS Share

Instructions for configuring WSUS 3.0 clients are provided in the 3.0 Operations Guide {R1}. However, in the case of WSUS 3.0 on NLB clusters, the virtual address of the NLB cluster should be specified, rather than one of the individual Wservers. For example, if the clients are configured with a Group Policy object or Local Group Policy object, the setting for the Specify intranet Microsoft update service locationthe virtual Web address of the NLB clust

Note

If a DFS share is used, be careful when uninstalling WSUS 3.0 from one but not all of the frontservers. If the WSUS content directory is allowed to be deleted, this will affect all the WSUS 3.0 frontservers.


Configure the NLB

Enable Network Load Balancing:

Control Panel, click Network Connections, click , and then click Properties.

. On the Select Network Component Type screen, select

Select Network Service screen, select Network Load Balancing

Local Area Connection Properties screen, select the Network Load check box and then click Properties.

Cluster Parameters tab, complete the relevant information (the virtual IP address to be shared among the front-end computers, and the subnet mask). Under

, select Unicast.

Host Parameters tab, ensure the unique host identifier is different for each member

tab, ensure there is a port rule specifying single affinity (the default).Affinity is the term used to define how client requests are to be directed. Single affinity means that requests from the same client will always be directed to the same cluster host.

, and return to the Local Area Connection Properties screen.

Internet Protocol (TCP/IP), click Properties, and then click Advanced

tab, under IP addresses, add the virtual IP of the cluster (so that there will be two IP addresses). This should be done on each cluster member.

lear the Register this connection's addresses in DNSEnsure that there is no DNS entry for the IP address.

Test the WSUS 3.0 NLB Configuration Ensure that at least one of the WSUS 3.0 front-end servers can perform an initial synchronisation. If the synchronisation is successful, continue to PART IX. Otherwise, review the WSUS 3.0 setup

Configure WSUS 3.0 Clients to Sync from the DFS

Instructions for configuring WSUS 3.0 clients are provided in the Windows Server Update Services . However, in the case of WSUS 3.0 on NLB clusters, the virtual address

of the NLB cluster should be specified, rather than one of the individual WSUS 3.0 frontservers. For example, if the clients are configured with a Group Policy object or Local Group Policy

Specify intranet Microsoft update service locationthe virtual Web address of the NLB cluster.

If a DFS share is used, be careful when uninstalling WSUS 3.0 from one but not all of the frontservers. If the WSUS content directory is allowed to be deleted, this will affect all the WSUS 3.0 front


Page 54

, click Local Area

screen, select Service and

Network Load Balancing and click

Network Load

tab, complete the relevant information (the virtual IP address to net mask). Under Cluster

tab, ensure the unique host identifier is different for each member

tab, ensure there is a port rule specifying single affinity (the default). Affinity is the term used to define how client requests are to be directed. Single affinity means that requests from the same client will always be directed to the same cluster host.

screen.

Advanced.

, add the virtual IP of the cluster (so that there will be two IP addresses). This should be done on each cluster member.

Register this connection's addresses in DNS check box.

end servers can perform an initial synchronisation. . Otherwise, review the WSUS 3.0 setup

Configure WSUS 3.0 Clients to Sync from the DFS

Windows Server Update Services . However, in the case of WSUS 3.0 on NLB clusters, the virtual address

SUS 3.0 front-end servers. For example, if the clients are configured with a Group Policy object or Local Group Policy

Specify intranet Microsoft update service location setting should be

If a DFS share is used, be careful when uninstalling WSUS 3.0 from one but not all of the front-end servers. If the WSUS content directory is allowed to be deleted, this will affect all the WSUS 3.0 front-end


APPENDIX D

PART I Terms and Abbreviations

Abbreviation Definition

API Application Programming Interface

BITS Background Intelligent Transfer Service

CAL Client Access Licen

DFS Distributed File System

DNS Domain Name System

EULA End User Licence Agreement

GPO Group Policy

IIS Internet Information Services

IP Internet Protocol

MOF Microsoft Operations Framework

MSF Microsoft Solutions Framework

MSRC Microsoft Security Research Centre

NAT Network Address Translation

NIC Network Interface Card

NLB Network Load

NTFS NT File System

OU Organisational Unit

SP Service Pack

SPN Service Principal Name

SSL Secure Sockets Layer

UI User Interface

UNC Universal Naming Convention

VPN Virtual Private Network

WAN Wide Area Network

WSUS Windows Server

WUA Windows Update Agent

Table 8: Terms and Abbreviations


DOCUMENT INFORMATION

d Abbreviations

Definition

Application Programming Interface

Background Intelligent Transfer Service

Client Access Licence

Distributed File System

Domain Name System

End User Licence Agreement

Group Policy Object

Internet Information Services

Internet Protocol

Microsoft Operations Framework

Microsoft Solutions Framework

Microsoft Security Research Centre

Network Address Translation

Network Interface Card

Network Load Balancing

NT File System

Organisational Unit

Service Pack

Service Principal Name

Secure Sockets Layer

User Interface

Universal Naming Convention

Virtual Private Network

Wide Area Network

Windows Server Update Services

Windows Update Agent


Page 55


PART II References

Reference Document

R1. Windows Server Update Services 3.0 Operations Guidehttp://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx

R2. MSF Process Model Whitehttp://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0bfc886956790e&DisplayLang=en

R3. MOF Executive Overviewhttp://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx

R4. Deploying Microsoft Windows Server Update Serviceshttp://go.microsoft.com/fwlink/?LinkId=86416

R5. Microsoft Windows Server Update Services 3.0 Operations Guidehttp://go.microsoft.com/fwlink/?Lin

R6. Microsoft Help and Support: create a remote connection to an instance of SQL Server 2005http://go.microsoft.com/fwlink/?LinkId=85942

R7. MSDN: How to: Create a New SQL Server 2005 Failover Cluster (Setup):http://go.microsoft.com/fwlink/?LinkId=76490

R8. Microsoft TechNet: Network Loadhttp://go.microsoft.com/fwlink/?LinkId=76491

R9. Microsoft Help and Support: All Replicas: http://go.microsoft.com/fwlink/?LinkId=86550

Table 9: References


References

Windows Server Update Services 3.0 Operations Guide http://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx

MSF Process Model Whitepaper: http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en

Executive Overview: http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx

Deploying Microsoft Windows Server Update Services 3.0: http://go.microsoft.com/fwlink/?LinkId=86416

Microsoft Windows Server Update Services 3.0 Operations Guide: http://go.microsoft.com/fwlink/?LinkId=86697

Microsoft Help and Support: How to make sure that you are using Kerberos authentication when you create a remote connection to an instance of SQL Server 2005: http://go.microsoft.com/fwlink/?LinkId=85942

How to: Create a New SQL Server 2005 Failover Cluster (Setup): http://go.microsoft.com/fwlink/?LinkId=76490

Network Load Balancing Clusters: http://go.microsoft.com/fwlink/?LinkId=76491

Microsoft Help and Support: How To Set File Permissions for Shares in DFS Replica Sets to Apply to



Page 56

Version

1.0.0.0

3.1

1.0

1.1

1.1

How to make sure that you are using Kerberos authentication when you

How To Set File Permissions for Shares in DFS Replica Sets to Apply to

http://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx










mshpo - windows server update services...

Documents