wsus3 improvements for distributed networks - final

8/2/2019 WSUS3 Improvements for Distributed Networks - FINAL

1/13

Windows Server Update Services 3.0

Improvements for Distributed

Networks

Microsoft Corporation

Published: June 2007

Author: Jeff Centimano

AbstractThis white paper highlights new and improved features in WSUS 3.0 that

address update management for distributed networks. Distributed

networks include businesses with multiple locations, or with a mobile

workforce.

Note:

For more information about Windows Server Update Services 3.0,

including deployment recommendations and a step-by-step


2/13

installation guide, please visit the WSUS TechCenter on Microsoft

TechNet.
http://www.microsoft.com/technet/windowsserver/wsus/default.mspxhttp://www.microsoft.com/technet/windowsserver/wsus/default.mspx


3/13

The information contained in this document represents the current view of Microsoft Corporation on

the issues discussed as of the date of publication. Because Microsoft must respond to changing

market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and

Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, no part of this document may be reproduced, stored in or introduced into a

retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying,

recording, or otherwise), or for any purpose, without the express written permission of Microsoft

Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places, and events depicted herein are fictitious, and no association with

any real company, organization, product, domain name, e-mail address, logo, person, place, orevent is intended or should be inferred.

2007 Microsoft Corporation. All r ights reserved.

Microsoft, SQL Server, Windows, and Windows Server are either registered trademarks or

trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their

respective owners.


4/13

Contents

Distributed Deployment Overview ......................................................................................................................... ...... ....5

Replica Servers ............................................................................................................................................................5

Autonomous Servers ...................................................................................................................................................5

Improved Deployment Flexibility ......................................................................................................................................6

Replica Mode Improvements .......................................................................................................................................6

Automatic Update Client Improvements ......................................................................................................................8

Scalability and High-Availability Improvements .............................................................................................................10

Other Deployment Considerations ......................................................................................................... ...... ...... ...... .....11

Roaming WSUS Clients .............................................................................................................................................11

Auditing WSUS Changes ...........................................................................................................................................13

For More Information .....................................................................................................................................................13

4


5/13

Distributed Deployment Overview

Microsoft Windows Server Update Services (WSUS) 3.0 introduces a completelyrewritten user interface with rich status information and highly-customized reporting.

However, other improvements promise to be just as compelling for WSUS

administrators especially those with distributed environments. This section

highlights options for distributed WSUS deployments and is targeted at new WSUS

administrators or those looking to expand their WSUS environment. Seasoned WSUS

administrators may want to skip to the next section for an overview of whats

changed in WSUS 3.0.

Replica ServersReplica servers offer a simple way to extend the reach of your WSUS deployment

without a corresponding increase in administrative overhead. Administrators with

multiple physical locations can deploy replica servers to reduce bandwidth

consumption, while still maintaining full control over the update experience. This is

especially useful in remote locations with many computers, but no IT staff.

Replica servers receive update approvals, computer groups, and update content from

a parent server on a scheduled basis. Update content can include all, or only a subset

of the languages available on the parent server. Computers can then download

updates and report their status to a local replica server instead of communicating

across the wide-area network (WAN). To facilitate organization-wide status reporting,replica servers upload detailed information about their local computers to a parent

server during the normal synchronization process. Aside from initial setup and

computer targeting, replica servers require very little ongoing management.

Autonomous ServersOrganizations with skilled IT staff in multiple locations may prefer to deploy

autonomous WSUS servers. Aside from the ability to synchronize update content from

a parent server (similar to replica server behavior), autonomous servers perform all

other management and maintenance tasks locally. This includes approving updates,

creating computer groups, and running status reports. Autonomous servers are also

useful for test environments that are disconnected from the production network or

the Internet. Update content and metadata from a production WSUS server is easily

imported to a test environment using removable media.

Note:

5


6/13

Autonomous servers only upload status summaries to their parent server. If

your environment requires detailed reporting rollup, use replica servers

instead.

Improved Deployment Flexibility

Replica Mode ImprovementsEven though replica servers were introduced in WSUS 2.0, several key improvements

in WSUS 3.0 make them even more desirable for distributed networks.

Built-In Reporting RollupPreviously available as a separate download for WSUS 2.0, reporting rollup is now

included and enabled by default in WSUS 3.0. Administrators can choose to display

status information from replica servers globally (Figure 1), or on a one-off basis within

the reporting interface (Figure 2). Aside from planning for the additional load created

by downstream clients, no additional server configuration is required.

Figure 1: Global Reporting Rollup Setting

6


7/13

Figure 2: Reporting Interface Replica Visibility

Enable/Disable Replica ModeIn WSUS 2.0 the choice to deploy a replica server was only available during setup. If

your network or business needs changed, the only way to enable/disable replica

mode was to reinstall the product. WSUS 3.0 introduces the ability to toggle replica

mode (Figure 3). Using a simple check-box, administrators can change a replica

server to operate autonomously, or vice versa.

Figure 3: Configurable Replica Mode Setting

7


8/13

Being able to toggle replica mode also adds another layer to your WSUS 3.0 disaster

recovery strategy. For example, if a parent server becomes unavailable due to

hardware or software failure, a replica can be promoted on a temporary basis. This

allows you to rebuild the failed parent server as a replica, synchronize update

approvals and computer groups from the promoted server, and finally reconfigure allservers to their original roles. No disaster recovery plan should depend on this

functionality; however, it may be useful when traditional server backups are not

available.

Configurable Content SourceMany corporate WANs are characterized by a hub-and-spoke design, where branch

offices connect to a headquarters location for all content. However, some WANs are

more complex consisting of multiple hub locations, or branch offices with a private

link to headquarters and a separate connection to the Internet.

New functionality in WSUS 3.0 allows administrators to split replica server

communication and content download across two different connections. For example,

a replica server with a slow private WAN link but high-speed Internet connectivity can

synchronize update metadata, computer groups, and status information across the

private WAN then download approved update content from Microsoft Update servers

using the high-speed Internet connection. This improved flexibility enables

administrators to deploy replica servers where they were previously impractical

because of limited WAN bandwidth.

Language Download SettingsAdditional bandwidth savings can be achieved by only downloading updates in

languages needed by clients in a particular location. In WSUS 3.0 replica servers now

have the ability to synchronize a subset of the languages supported by the parent

server. For global deployments, a best-practice design might include a parent server

supporting all languages with geographical replica servers only downloading updates

for their local language.

Automatic Update Client ImprovementsWSUS 3.0 includes a new version of the Automatic Update (AU) client, which is

automatically deployed the fist time a computer contacts WSUS 3.0. The new AUclient contains improvements for all supported operating systems, including the

ability to install non-Microsoft updates and to collect machine inventory data. Some

features of the new AU client are only accessible via the WSUS Application

Programming Interface (API), or through additional products such as Microsoft System

Center Essentials.

8


9/13

Windows Vista Peer CachingImprovements in the Windows Vista AU client and Background Intelligent Transfer

Service (BITS) 3.0 offer additional capabilities not found in other operating systems.

Specifically, Windows Vista can take advantage of BITS 3.0 peer caching when

connected to a WSUS 3.0 server. Peer caching enables Windows Vista to shareapproved update content with other Windows Vista computers in the same domain,

and on the same IP subnet. Peer caching is configurable through Group Policy (Figure

4).

Figure 4: BITS Peer Caching Group Policy Setting

Peer caching can significantly reduce the load on your WSUS 3.0 servers. In

Microsofts internal WSUS 3.0 environment up to 80 percent of Windows Vista clients

download update content from their peers, and not directly from WSUS 3.0. BITS 3.0

peer caching can also benefit branch office environments that do not have a local

WSUS server. If a large percentage of branch office computers run Windows Vista you

may decide to rely on peer caching instead of a WSUS replica server. More

information on BITS 3.0 peer caching and other BITS best-practices is located in the

WSUS 3.0 Operations Guide Appendix E

Windows Vista Windows Update ApplicationWindows Vista also offers a graphical Windows Update application (Figure 5) not

found in other operating systems. This application allows users to view Windows

Update status, and manually run a check for WSUS-hosted updates all without

resorting to command line utilities. The Windows Update application can be

customized in a number of different ways. For example, administrators can use Active

Directory Group Policy to remove the option to check for updates on the public

Microsoft Update site. This is important for organizations that want complete control

over approved and installed updates. However, organizations without an Internet-

facing WSUS server may prefer to deploy updates this way instead of leaving clients

exposed to potential issues. Regardless of how you choose to use this feature, it is a

welcome addition to the product.

9
http://technet2.microsoft.com/windowsserver/en/library/01c3e082-8e15-47c2-badf-3d14554534d61033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/01c3e082-8e15-47c2-badf-3d14554534d61033.mspx?mfr=true


10/13

Figure 5: Windows Update Application

Scalability and High-Availability Improvements

Large and highly-distributed networks often require additional capabilities that arenot needed in smaller environments. This section addresses scalability and high-

availability improvements in WSUS 3.0.

Native 64-Bit SupportWSUS 3.0 now comes in a native 64-bit version (x64) for use on Microsoft Windows

Server 2003 x64 Edition. This version is appropriate for anyone running x64-

compatible hardware, and offers specific scale-up benefits for large environments. For

example, up to 20,000 clients are supported on a single server using the x64 version

of WSUS 3.0. See the WSUS 3.0 Deployment Guide for a complete list of hardware

recommendations for 32-bit and 64-bit deployments.

Network Load Balancing SupportSupport for Network Load Balancing (NLB) is back in WSUS 3.0. Previously available in

Software Update Services (SUS) but missing from WSUS 2.0, this high-availability

technology is appropriate for large environments with strict service level agreements.

By using NLB, two to four front-end WSUS 3.0 servers present themselves a single

10
http://go.microsoft.com/fwlink/?LinkId=86416http://go.microsoft.com/fwlink/?LinkId=86416


11/13

server to WSUS clients. If a front-end server goes offline for planned maintenance or

an unplanned component failure clients continue to receive updates from the

remaining NLB member(s).

Note:NLB clustering requires that the WSUS 3.0 database be stored on a separate

SQL Server 2005 server. Additionally, NLB clustering does not increase the

total number of clients supported by a single WSUS server.

Microsoft SQL Server 2005 Cluster SupportWSUS 3.0 now supports Microsoft SQL Server 2005 clustering to provide high-

availability for environments with a back-end database server. Microsoft SQL Server

2005 clustering can be used with a single front-end WSUS 3.0 server, or as part of a

fully-redundant design with NLB front-end servers.

Note:

Unlike the Windows Internal Database included with WSUS 3.0, Microsoft SQL

Server 2005 requires separate server and client access licenses. Contact your

Microsoft Account Manager or a Microsoft Certified Partner for more

information.

Other Deployment Considerations

Roaming WSUS ClientsMany organizations are concerned about keeping mobile computers updated when

they roam between corporate locations, and onto the public Internet. The solutions

listed below are just a couple possible ways to address this issue.

DNS Netmask OrderingThe DNS Netmask Ordering function in Windows Server 2003 allows roaming WSUS

clients to be directed to the closest WSUS server (based on IP subnet). This type of

design implies multiple WSUS servers preferably a parent server at the network hub

and replica servers in other locations. All WSUS servers must have host records in

DNS with the same fully-qualified domain name, but different IP addresses. Once DNS

and WSUS are correctly configured, all name resolution requests for WSUS will return

an IP address on the clients subnet. If a local WSUS server does not exist, DNS Round

11


12/13

Robin will choose one at random. More information about DNS Netmask Ordering and

Round Robin is located in Windows Server 2003 Help and Support.

Publishing WSUS 3.0 Using Microsoft ISA Server

Although DNS Netmask Ordering is helpful when roaming between locations on theinternal network, another solution is needed to accommodate WSUS clients outside

the corporate firewall. One option is to publish WSUS 3.0 on the Internet using

Microsoft Internet Security and Acceleration (ISA) Server. If you decide to implement

this solution you can simply publish an internal WSUS server, or use a replica server

in a demilitarized zone (DMZ) network. Regardless of which server you publish, SSL is

recommended so roaming computers can verify the identity of your WSUS server.

Step-by-step instructions to publish WSUS using Microsoft ISA Server are available in

the Microsoft whitepaper Implementing WSUS with ISA Server 2004 to Manage

Remote Clients. Although this whitepaper was written for WSUS 2.0 the concepts are

still valid for WSUS 3.0. However, important information in the ISA Server web

publishing section is out-of-date. Please refer to Table 1 on the following page for a

correct list of WSUS 3.0 virtual directories to publish.

Virtual Directory Publish HTTP? Publish HTTPS?

/Content/*

/Selfupdate/*

/ClientWebService/*

/Inventory/*

/SimpleAuthWebService/*

/ReportingWebService/*

Table 1: Correct List of WSUS 3.0 Virtual Directories

Note:

The following virtual directories should not be exposed to the Internet:

/ApiRemoting30 Used for API access, including the WSUS

Administration Console

/DssAuthWebService Allows other WSUS servers to authenticate to

the server

12
http://www.microsoft.com/downloads/details.aspx?FamilyID=ab72eb03-09cf-4cfb-9af5-1a7dc9c80bc9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=ab72eb03-09cf-4cfb-9af5-1a7dc9c80bc9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=ab72eb03-09cf-4cfb-9af5-1a7dc9c80bc9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=ab72eb03-09cf-4cfb-9af5-1a7dc9c80bc9&displaylang=en


13/13

/ServerSyncWebService Allows other WSUS servers to sync with the

server

Auditing WSUS ChangesLarge organizations often have multiple administrators who are responsible forsoftware update management. These organizations may also be subject to industry

regulations on computer security. In such environments it is important to maintain an

audit trail of when updates are approved, and by whom. WSUS 3.0 includes a new log

file to record this type of information. The file name is Change.logand by default it is

located in the %ProgramFiles%\UpdateServices\LogFiles directory. In addition to

update approval changes, the file records content synchronization, computer group

additions/deletions, and server configuration changes.

For More Information

WSUS 3.0 is a compelling software update management tool for organizations of any

size. The following information will help you evaluate and deploy WSUS 3.0 in your

environment:

The WSUS TechCenter on Microsoft TechNet (late-breaking information)

WSUS 3.0 Documentation:

o Release Notes for Microsoft WSUS 3.0

o Microsoft WSUS 3.0 Overview

o Step-by-Step Guide to Getting Started with Microsoft WSUS 3.0

o Deploying Microsoft WSUS 3.0

o WSUS 3.0 Operations Guide

WSUS 3.0 Download (x86 and x64)

Management Pack Catalog (for organizations running MOM 2005 or SCOM

2007)

13
http://www.microsoft.com/technet/windowsserver/wsus/default.mspxhttp://go.microsoft.com/fwlink/?LinkId=71220http://go.microsoft.com/fwlink/?LinkId=71191http://go.microsoft.com/fwlink/?LinkId=71190http://go.microsoft.com/fwlink/?LinkId=86416http://go.microsoft.com/fwlink/?LinkId=86697http://go.microsoft.com/fwlink/?LinkId=89379http://www.microsoft.com/technet/prodtechnol/mom/catalog/catalog.aspx?vs=2005http://www.microsoft.com/technet/windowsserver/wsus/default.mspxhttp://go.microsoft.com/fwlink/?LinkId=71220http://go.microsoft.com/fwlink/?LinkId=71191http://go.microsoft.com/fwlink/?LinkId=71190http://go.microsoft.com/fwlink/?LinkId=86416http://go.microsoft.com/fwlink/?LinkId=86697http://go.microsoft.com/fwlink/?LinkId=89379http://www.microsoft.com/technet/prodtechnol/mom/catalog/catalog.aspx?vs=2005

wsus3 improvements for distributed networks - final

Documents