wsus3 improvements for distributed networks - final
TRANSCRIPT
-
8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL
1/13
Windows Server Update Services 3.0
Improvements for Distributed
Networks
Microsoft Corporation
Published: June 2007
Author: Jeff Centimano
AbstractThis white paper highlights new and improved features in WSUS 3.0 that
address update management for distributed networks. Distributed
networks include businesses with multiple locations, or with a mobile
workforce.
Note:
For more information about Windows Server Update Services 3.0,
including deployment recommendations and a step-by-step
-
8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL
2/13
installation guide, please visit the WSUS TechCenter on Microsoft
TechNet.
http://www.microsoft.com/technet/windowsserver/wsus/default.mspxhttp://www.microsoft.com/technet/windowsserver/wsus/default.mspx -
8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL
3/13
The information contained in this document represents the current view of Microsoft Corporation on
the issues discussed as of the date of publication. Because Microsoft must respond to changing
market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place, orevent is intended or should be inferred.
2007 Microsoft Corporation. All r ights reserved.
Microsoft, SQL Server, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
-
8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL
4/13
Contents
Distributed Deployment Overview ......................................................................................................................... ...... ....5
Replica Servers ............................................................................................................................................................5
Autonomous Servers ...................................................................................................................................................5
Improved Deployment Flexibility ......................................................................................................................................6
Replica Mode Improvements .......................................................................................................................................6
Automatic Update Client Improvements ......................................................................................................................8
Scalability and High-Availability Improvements .............................................................................................................10
Other Deployment Considerations ......................................................................................................... ...... ...... ...... .....11
Roaming WSUS Clients .............................................................................................................................................11
Auditing WSUS Changes ...........................................................................................................................................13
For More Information .....................................................................................................................................................13
4
-
8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL
5/13
Distributed Deployment Overview
Microsoft Windows Server Update Services (WSUS) 3.0 introduces a completelyrewritten user interface with rich status information and highly-customized reporting.
However, other improvements promise to be just as compelling for WSUS
administrators especially those with distributed environments. This section
highlights options for distributed WSUS deployments and is targeted at new WSUS
administrators or those looking to expand their WSUS environment. Seasoned WSUS
administrators may want to skip to the next section for an overview of whats
changed in WSUS 3.0.
Replica ServersReplica servers offer a simple way to extend the reach of your WSUS deployment
without a corresponding increase in administrative overhead. Administrators with
multiple physical locations can deploy replica servers to reduce bandwidth
consumption, while still maintaining full control over the update experience. This is
especially useful in remote locations with many computers, but no IT staff.
Replica servers receive update approvals, computer groups, and update content from
a parent server on a scheduled basis. Update content can include all, or only a subset
of the languages available on the parent server. Computers can then download
updates and report their status to a local replica server instead of communicating
across the wide-area network (WAN). To facilitate organization-wide status reporting,replica servers upload detailed information about their local computers to a parent
server during the normal synchronization process. Aside from initial setup and
computer targeting, replica servers require very little ongoing management.
Autonomous ServersOrganizations with skilled IT staff in multiple locations may prefer to deploy
autonomous WSUS servers. Aside from the ability to synchronize update content from
a parent server (similar to replica server behavior), autonomous servers perform all
other management and maintenance tasks locally. This includes approving updates,
creating computer groups, and running status reports. Autonomous servers are also
useful for test environments that are disconnected from the production network or
the Internet. Update content and metadata from a production WSUS server is easily
imported to a test environment using removable media.
Note:
5
-
8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL
6/13
Autonomous servers only upload status summaries to their parent server. If
your environment requires detailed reporting rollup, use replica servers
instead.
Improved Deployment Flexibility
Replica Mode ImprovementsEven though replica servers were introduced in WSUS 2.0, several key improvements
in WSUS 3.0 make them even more desirable for distributed networks.
Built-In Reporting RollupPreviously available as a separate download for WSUS 2.0, reporting rollup is now
included and enabled by default in WSUS 3.0. Administrators can choose to display
status information from replica servers globally (Figure 1), or on a one-off basis within
the reporting interface (Figure 2). Aside from planning for the additional load created
by downstream clients, no additional server configuration is required.
Figure 1: Global Reporting Rollup Setting
6
-
8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL
7/13
Figure 2: Reporting Interface Replica Visibility
Enable/Disable Replica ModeIn WSUS 2.0 the choice to deploy a replica server was only available during setup. If
your network or business needs changed, the only way to enable/disable replica
mode was to reinstall the product. WSUS 3.0 introduces the ability to toggle replica
mode (Figure 3). Using a simple check-box, administrators can change a replica
server to operate autonomously, or vice versa.
Figure 3: Configurable Replica Mode Setting
7
-
8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL
8/13
Being able to toggle replica mode also adds another layer to your WSUS 3.0 disaster
recovery strategy. For example, if a parent server becomes unavailable due to
hardware or software failure, a replica can be promoted on a temporary basis. This
allows you to rebuild the failed parent server as a replica, synchronize update
approvals and computer groups from the promoted server, and finally reconfigure allservers to their original roles. No disaster recovery plan should depend on this
functionality; however, it may be useful when traditional server backups are not
available.
Configurable Content SourceMany corporate WANs are characterized by a hub-and-spoke design, where branch
offices connect to a headquarters location for all content. However, some WANs are
more complex consisting of multiple hub locations, or branch offices with a private
link to headquarters and a separate connection to the Internet.
New functionality in WSUS 3.0 allows administrators to split replica server
communication and content download across two different connections. For example,
a replica server with a slow private WAN link but high-speed Internet connectivity can
synchronize update metadata, computer groups, and status information across the
private WAN then download approved update content from Microsoft Update servers
using the high-speed Internet connection. This improved flexibility enables
administrators to deploy replica servers where they were previously impractical
because of limited WAN bandwidth.
Language Download SettingsAdditional bandwidth savings can be achieved by only downloading updates in
languages needed by clients in a particular location. In WSUS 3.0 replica servers now
have the ability to synchronize a subset of the languages supported by the parent
server. For global deployments, a best-practice design might include a parent server
supporting all languages with geographical replica servers only downloading updates
for their local language.
Automatic Update Client ImprovementsWSUS 3.0 includes a new version of the Automatic Update (AU) client, which is
automatically deployed the fist time a computer contacts WSUS 3.0. The new AUclient contains improvements for all supported operating systems, including the
ability to install non-Microsoft updates and to collect machine inventory data. Some
features of the new AU client are only accessible via the WSUS Application
Programming Interface (API), or through additional products such as Microsoft System
Center Essentials.
8
-
8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL
9/13
Windows Vista Peer CachingImprovements in the Windows Vista AU client and Background Intelligent Transfer
Service (BITS) 3.0 offer additional capabilities not found in other operating systems.
Specifically, Windows Vista can take advantage of BITS 3.0 peer caching when
connected to a WSUS 3.0 server. Peer caching enables Windows Vista to shareapproved update content with other Windows Vista computers in the same domain,
and on the same IP subnet. Peer caching is configurable through Group Policy (Figure
4).
Figure 4: BITS Peer Caching Group Policy Setting
Peer caching can significantly reduce the load on your WSUS 3.0 servers. In
Microsofts internal WSUS 3.0 environment up to 80 percent of Windows Vista clients
download update content from their peers, and not directly from WSUS 3.0. BITS 3.0
peer caching can also benefit branch office environments that do not have a local
WSUS server. If a large percentage of branch office computers run Windows Vista you
may decide to rely on peer caching instead of a WSUS replica server. More
information on BITS 3.0 peer caching and other BITS best-practices is located in the
WSUS 3.0 Operations Guide Appendix E
Windows Vista Windows Update ApplicationWindows Vista also offers a graphical Windows Update application (Figure 5) not
found in other operating systems. This application allows users to view Windows
Update status, and manually run a check for WSUS-hosted updates all without
resorting to command line utilities. The Windows Update application can be
customized in a number of different ways. For example, administrators can use Active
Directory Group Policy to remove the option to check for updates on the public
Microsoft Update site. This is important for organizations that want complete control
over approved and installed updates. However, organizations without an Internet-
facing WSUS server may prefer to deploy updates this way instead of leaving clients
exposed to potential issues. Regardless of how you choose to use this feature, it is a
welcome addition to the product.
9
http://technet2.microsoft.com/windowsserver/en/library/01c3e082-8e15-47c2-badf-3d14554534d61033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/01c3e082-8e15-47c2-badf-3d14554534d61033.mspx?mfr=true -
8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL
10/13
Figure 5: Windows Update Application
Scalability and High-Availability Improvements
Large and highly-distributed networks often require additional capabilities that arenot needed in smaller environments. This section addresses scalability and high-
availability improvements in WSUS 3.0.
Native 64-Bit SupportWSUS 3.0 now comes in a native 64-bit version (x64) for use on Microsoft Windows
Server 2003 x64 Edition. This version is appropriate for anyone running x64-
compatible hardware, and offers specific scale-up benefits for large environments. For
example, up to 20,000 clients are supported on a single server using the x64 version
of WSUS 3.0. See the WSUS 3.0 Deployment Guide for a complete list of hardware
recommendations for 32-bit and 64-bit deployments.
Network Load Balancing SupportSupport for Network Load Balancing (NLB) is back in WSUS 3.0. Previously available in
Software Update Services (SUS) but missing from WSUS 2.0, this high-availability
technology is appropriate for large environments with strict service level agreements.
By using NLB, two to four front-end WSUS 3.0 servers present themselves a single
10
http://go.microsoft.com/fwlink/?LinkId=86416http://go.microsoft.com/fwlink/?LinkId=86416 -
8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL
11/13
server to WSUS clients. If a front-end server goes offline for planned maintenance or
an unplanned component failure clients continue to receive updates from the
remaining NLB member(s).
Note:NLB clustering requires that the WSUS 3.0 database be stored on a separate
SQL Server 2005 server. Additionally, NLB clustering does not increase the
total number of clients supported by a single WSUS server.
Microsoft SQL Server 2005 Cluster SupportWSUS 3.0 now supports Microsoft SQL Server 2005 clustering to provide high-
availability for environments with a back-end database server. Microsoft SQL Server
2005 clustering can be used with a single front-end WSUS 3.0 server, or as part of a
fully-redundant design with NLB front-end servers.
Note:
Unlike the Windows Internal Database included with WSUS 3.0, Microsoft SQL
Server 2005 requires separate server and client access licenses. Contact your
Microsoft Account Manager or a Microsoft Certified Partner for more
information.
Other Deployment Considerations
Roaming WSUS ClientsMany organizations are concerned about keeping mobile computers updated when
they roam between corporate locations, and onto the public Internet. The solutions
listed below are just a couple possible ways to address this issue.
DNS Netmask OrderingThe DNS Netmask Ordering function in Windows Server 2003 allows roaming WSUS
clients to be directed to the closest WSUS server (based on IP subnet). This type of
design implies multiple WSUS servers preferably a parent server at the network hub
and replica servers in other locations. All WSUS servers must have host records in
DNS with the same fully-qualified domain name, but different IP addresses. Once DNS
and WSUS are correctly configured, all name resolution requests for WSUS will return
an IP address on the clients subnet. If a local WSUS server does not exist, DNS Round
11
-
8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL
12/13
Robin will choose one at random. More information about DNS Netmask Ordering and
Round Robin is located in Windows Server 2003 Help and Support.
Publishing WSUS 3.0 Using Microsoft ISA Server
Although DNS Netmask Ordering is helpful when roaming between locations on theinternal network, another solution is needed to accommodate WSUS clients outside
the corporate firewall. One option is to publish WSUS 3.0 on the Internet using
Microsoft Internet Security and Acceleration (ISA) Server. If you decide to implement
this solution you can simply publish an internal WSUS server, or use a replica server
in a demilitarized zone (DMZ) network. Regardless of which server you publish, SSL is
recommended so roaming computers can verify the identity of your WSUS server.
Step-by-step instructions to publish WSUS using Microsoft ISA Server are available in
the Microsoft whitepaper Implementing WSUS with ISA Server 2004 to Manage
Remote Clients. Although this whitepaper was written for WSUS 2.0 the concepts are
still valid for WSUS 3.0. However, important information in the ISA Server web
publishing section is out-of-date. Please refer to Table 1 on the following page for a
correct list of WSUS 3.0 virtual directories to publish.
Virtual Directory Publish HTTP? Publish HTTPS?
/Content/*
/Selfupdate/*
/ClientWebService/*
/Inventory/*
/SimpleAuthWebService/*
/ReportingWebService/*
Table 1: Correct List of WSUS 3.0 Virtual Directories
Note:
The following virtual directories should not be exposed to the Internet:
/ApiRemoting30 Used for API access, including the WSUS
Administration Console
/DssAuthWebService Allows other WSUS servers to authenticate to
the server
12
http://www.microsoft.com/downloads/details.aspx?FamilyID=ab72eb03-09cf-4cfb-9af5-1a7dc9c80bc9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=ab72eb03-09cf-4cfb-9af5-1a7dc9c80bc9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=ab72eb03-09cf-4cfb-9af5-1a7dc9c80bc9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=ab72eb03-09cf-4cfb-9af5-1a7dc9c80bc9&displaylang=en -
8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL
13/13
/ServerSyncWebService Allows other WSUS servers to sync with the
server
Auditing WSUS ChangesLarge organizations often have multiple administrators who are responsible forsoftware update management. These organizations may also be subject to industry
regulations on computer security. In such environments it is important to maintain an
audit trail of when updates are approved, and by whom. WSUS 3.0 includes a new log
file to record this type of information. The file name is Change.logand by default it is
located in the %ProgramFiles%\UpdateServices\LogFiles directory. In addition to
update approval changes, the file records content synchronization, computer group
additions/deletions, and server configuration changes.
For More Information
WSUS 3.0 is a compelling software update management tool for organizations of any
size. The following information will help you evaluate and deploy WSUS 3.0 in your
environment:
The WSUS TechCenter on Microsoft TechNet (late-breaking information)
WSUS 3.0 Documentation:
o Release Notes for Microsoft WSUS 3.0
o Microsoft WSUS 3.0 Overview
o Step-by-Step Guide to Getting Started with Microsoft WSUS 3.0
o Deploying Microsoft WSUS 3.0
o WSUS 3.0 Operations Guide
WSUS 3.0 Download (x86 and x64)
Management Pack Catalog (for organizations running MOM 2005 or SCOM
2007)
13
http://www.microsoft.com/technet/windowsserver/wsus/default.mspxhttp://go.microsoft.com/fwlink/?LinkId=71220http://go.microsoft.com/fwlink/?LinkId=71191http://go.microsoft.com/fwlink/?LinkId=71190http://go.microsoft.com/fwlink/?LinkId=86416http://go.microsoft.com/fwlink/?LinkId=86697http://go.microsoft.com/fwlink/?LinkId=89379http://www.microsoft.com/technet/prodtechnol/mom/catalog/catalog.aspx?vs=2005http://www.microsoft.com/technet/windowsserver/wsus/default.mspxhttp://go.microsoft.com/fwlink/?LinkId=71220http://go.microsoft.com/fwlink/?LinkId=71191http://go.microsoft.com/fwlink/?LinkId=71190http://go.microsoft.com/fwlink/?LinkId=86416http://go.microsoft.com/fwlink/?LinkId=86697http://go.microsoft.com/fwlink/?LinkId=89379http://www.microsoft.com/technet/prodtechnol/mom/catalog/catalog.aspx?vs=2005