Server Hardware and
Software Requirements for Installing WSUS 3.0 SP2
1. Confirm that the server meets the
WSUS 3.0 SP2 system requirements for hardware, operating system, and
other required software. System requirements are listed in the
WSUS 3.0 SP2 Release Notes at http://go.microsoft.com/fwlink/?LinkId=139840.
If you are using Server Manager to install the WSUS 3.0 SP2 Server,
you can confirm that you meet the software requirements by following the steps
in the “Preparing to Install WSUS 3.0 SP2” section.
2. If you install roles or software updates that
require you to restart the server when installation is complete, then restart
the server before you install WSUS 3.0 SP2.
Client Software Requirements
Automatic Updates is the client of WSUS 3.0. Automatic
Updates has no hardware requirements other than being connected to the network.
1. Confirm that computer on which you are
installing Automatic Updates meets the WSUS 3.0 SP2 system
requirements for Client computers. System requirements are listed in the
WSUS 3.0 SP2 Release Notes at http://go.microsoft.com/fwlink/?LinkId=139840.
2. If you install software updates that require
you to restart the computer, restart it before you install
WSUS 3.0 SP2.
Permissions
The following permissions are required for the specified
users and directories:
1. The NT Authority\Network Service account must
have Full Control permission for the following folders so that the WSUS
Administration snap-in displays correctly:
· %windir%\Microsoft
.NET\Framework\v2.0.50727\Temporary ASP.NET Files
· %windir%\Temp
2. Confirm that the account that you plan to use
to install WSUS 3.0 SP2 is a member of the Local Administrators
group.
Preparing to Install WSUS 3.0 SP2
If you are running Windows 7 or
Windows Server 2008 SP2, you can install WSUS 3.0 SP2
from Server Manager. If you are using another supported operating system, or
installing only the WSUS Administration Console, go to the next section of this
guide to install WSUS 3.0 SP2 by using the WSUSSetup.exe file.
1. Log on to the server on which you plan to
install WSUS 3.0 SP2 by using an account that is a member of the
Local Administrators group.
2. Click Start, point to
Administrative Tools, and then click Server
Manager.
3. In the right side pane of the Server
Manager window, in the Roles Summary section, click Add Roles.
4. If the Before You Begin page appears, click
Next.
5. On the Select Server Roles page, confirm
that Application Server and Web Server
(IIS) are selected. If they have been selected, use the remainder of
this step to confirm that the required role services are selected. Otherwise,
install Application Server and Web Server (IIS) as follows.
a. On the Select Server Roles page, select Application
Server and Web Server (IIS). Click Next.
b. If you are installing Application Role Services, on the
Application Server page, click Next. On the Application
Server Role Services page, accept the default settings, and then click Next.
c. If you are installing Web Server IIS, on the Web Server (IIS)
page, click Next. On the Web Server (IIS) Role Services
page, in addition to the default settings, select ASP.NET,
Windows Authentication, Dynamic Content
Compression, and IIS 6 Management Compatibility.
If the Add Roles Wizard window appears, click Add Required
Role Services. Click Next.
d. On the Confirm Installation Selections page, click Install.
e. On the Installation Results page, confirm that an “Installation
succeeded” message appears for the role services that you installed in this
step, and then click Close.
|
Next Step
Step 2: Install
WSUS Server or Administration Console
After you make sure that the server meets the minimum system
requirements and that the necessary account permissions were granted, you are
ready to install Windows Server Upgrade Services 3.0
Service Pack 2 (WSUS 3.0 SP2). Start the installation of
WSUS 3.0 SP2 by using the applicable procedure for your operating
system and kind of installation (by using either Server Manager or the
WSUSSetup.exe file).
If You Are Using Server Manager
1. Log on to the server on which you plan to
install WSUS 3.0 SP2 by using an account that is a member of the
local Administrators group.
2. Click Start, point to
Administrative Tools, and then click Server
Manager.
3. In the right side pane of the Server
Manager window, in the Roles Summary section, click Add Roles.
4. If the Before You Begin page appears, click
Next.
5. On the Select Server Roles page, select Windows Server Update Services.
6. On the Windows Server Update Services page,
click Next.
7. On the Confirm Installation Selections
page, click Install.
8. When the WSUS 3.0 SP2 Setup
Wizard is started, skip the next section and see the “To continue installing
WSUS 3.0 SP2” procedure.
|
If You Are Using the WSUSSetup.exe File
1. Log on to the server on which you plan to
install WSUS 3.0 SP2 by using an account that is a member of the
Local Administrators group.
2. Double-click the WSUSSetup.exe
installer file.
3. When the Windows Server Update Services
3.0 SP2 Setup Wizard is started, see the “To continue installing WSUS
3.0 SP2” procedure.
|
Using the WSUS 3.0 SP2 Setup Wizard
The WSUS Setup Wizard is launched from Server Manager or
from the WSUSSetup.exe file.
1. On the Welcome page of the Windows Server
Update Services 3.0 Setup Wizard, click Next.
2. On the Installation Mode Selection page,
select Full server installation including Administration
Console if you want to install the WSUS server on this computer, or Administration Console only if you want to install the
administration console only.
3. On the License Agreement page, read the
terms of the license agreement, click I accept the terms of
the License agreement, and then click Next.
4. You can specify where clients get updates
on the Select Update Source page of the installation wizard. By default, the Store updates locally check box is selected and updates will
be stored on the WSUS server in the location that you specify. If you clear
the Store updates locally check box, client computers
obtain approved updates by connecting to Microsoft Update. Make your
selection, and then click Next.
5. On the Database Options page, select the
software that is used to manage the WSUS 3.0 database. By default, the installation
wizard offers to install Windows Internal Database.
If you do not want to use Windows Internal Database,
provide an instance of Microsoft SQL Server for WSUS to use by
selecting Use an existing database on this server or Use an existing database server on a remote computer. Type
the instance name in the applicable box. The instance name should appear as
<serverName>\<instanceName>, where serverName
is the name of the server and instanceName is
the name of the SQL instance. Make your selection, and then click Next.
6. If you have opted to connect to a
SQL Server, on the Connecting to SQL Server Instance
page, WSUS will try to connect to the specified instance of SQL Server.
When it has connected successfully, click Next to
continue.
7. On the Web Site Selection page, specify the
Web site that WSUS will use. If you want to use the default Web site on port
80, select Use the existing IIS Default Web site. If
you already have a Web site on port 80, you can create an alternate site
on port 8530 or 8531 by selecting Create a Windows Server
Update Services 3.0 SP2 Web site. Click Next.
8. On the Ready to Install
Windows Server Update Services page, review the selections, and then
click Next.
9. The final page of the installation wizard
will let you know if the WSUS installation completed successfully. After you
click Finish the configuration wizard will start.
|
Next Step
Step 3:
Configure the Network Connections
After you install
Windows Server Update Services 3.0 Service Pack 2
(WSUS 3.0 SP2), the configuration wizard will launch automatically.
You can also run the wizard later through the Options
page of the WSUS Administration Console.
Before you start the configuration process, be sure that you
know the answers to the following questions:
1. Is the server's firewall configured to allow clients to
access the server?
2. Can this computer connect to the upstream server (such as
Microsoft Update)?
3. Do you have the name of the proxy server and the user
credentials for the proxy server, if you need them?
By default, WSUS 3.0 SP2 is configured to use
Microsoft Update as the location from which to obtain updates. If you have a
proxy server on the network, you can configure WSUS 3.0 SP2 to use
the proxy server. If there is a corporate firewall between WSUS and the Internet,
you might have to configure the firewall to ensure that WSUS can obtain
updates.
Although Internet connectivity is required to download
updates from Microsoft Update, WSUS offers you the ability to import updates
onto networks that are not connected to the Internet.
Step 3 contains the following procedures:
· Configure
your firewall.
· Specify
the way this server will obtain updates (either from Microsoft Update or from
another WSUS server).
· Configure
proxy server settings, so that WSUS can obtain updates.
· If
there is a corporate firewall between WSUS and the Internet, you might have
to configure that firewall to ensure WSUS can obtain updates. To obtain
updates from Microsoft Update, the WSUS server uses port 80 for HTTP
protocol and port 443 for HTTPS protocol. This is not configurable.
· If
your organization does not enable port 80 or port 443 to be open to
all addresses, you can restrict access to only the following domains, so that
WSUS and Automatic Updates can communicate with Microsoft Update:
· http://windowsupdate.microsoft.com
· http://*.windowsupdate.microsoft.com
· https://*.windowsupdate.microsoft.com
· http://*.update.microsoft.com
· https://*.update.microsoft.com
· http://*.windowsupdate.com
· http://download.windowsupdate.com
· http://download.microsoft.com
· http://*.download.windowsupdate.com
· http://wustat.windows.com
· http://ntservicepack.microsoft.com
|
These instructions about how to configure the firewall are meant for a
corporate firewall positioned between WSUS and the Internet. Because WSUS
initiates all of its network traffic, you do not have to configure Windows
Firewall on the WSUS server.
Although the connection between Microsoft Update and WSUS
requires ports 80 and 443 to be open, you can configure multiple WSUS servers
to synchronize with a custom port.
The next two procedures assume that you are using the
Configuration Wizard. In a later section in this step, you will learn how to
start the WSUS Administration snap-in and configure the server through the
Options page.
1. From the configuration wizard, after
joining the Microsoft Improvement Program, click Next
to select the upstream server.
2. If you choose to synchronize from Microsoft
Update, you are finished with the Options page. Click Next,
or select Specify Proxy Server from the navigation
pane.
3. If you choose to synchronize from another
WSUS server, specify the server name and the port on which this server will
communicate with the upstream server.
4. To use SSL, select the Use
SSL when synchronizing update information check box. In that case the
servers will use port 443 for synchronization. (Make sure that both this
server and the upstream server support SSL.)
5. If this is a replica server, select the This is a replica of the upstream server check box.
6. At this point, you are finished with
upstream server configuration. Click Next, or select Specify proxy server from the left navigation pane.
|
1. On the Specify Proxy Server
page of the configuration wizard, select the Use a proxy
server when synchronizing check box, and then type the proxy server
name and port number (port 80 by default) in the corresponding boxes.
2. If you want to connect to the proxy server
by using specific user credentials, select the Use user
credentials to connect to the proxy server check box, and then type
the user name, domain, and password of the user in the corresponding boxes.
If you want to enable basic authentication for the user connecting to the
proxy server, select the Allow basic authentication (password
is sent in cleartext) check box.
3. At this point, you are finished with proxy
server configuration. Click Next to go to the next
page, where you can start to set up the synchronization process.
|
The following two procedures assume that you are using the
WSUS Administration snap-in for configuration. These two procedures show how to
start the WSUS Administration snap-in and configure the server from the Options page.
· To
start the WSUS Administration Console, click Start,
point to All Programs, point to Administrative
Tools, and then click Windows Server Update Services
3.0.
|
In order to use all the features of the console, log on as a
member of either the WSUS Administrators or the Local Administrators security
groups on the server on which WSUS is installed. Members of the WSUS Reporters
security group have read-only access to the console.
1. On the WSUS console, click Options
in the left pane under the name of this server, and then click Update Source and Proxy Server in the middle pane.
A dialog box will be displayed with Update
Source and Proxy Server tabs.
2. In the Update Source
tab, select the location from which this server will obtain updates. If you
choose to synchronize from Microsoft Update (the default), you are finished
with this wizard page.
3. If you choose to synchronize from another
WSUS server, you have to specify the port on which the servers will
communicate (the default is port 80). If you select a different port,
you should ensure that both servers can use that port.
4. You may also specify whether to use SSL
when synchronizing from the upstream WSUS server. In that case, the servers
will use port 443 to synchronize from the upstream server.
5. If this server is a replica of the second
WSUS server, select the This is a replica of the upstream
server check box. In this case all updates must be approved on the
upstream WSUS server only.
6. In the Proxy server
tab, select the Use a proxy server when synchronizing
check box, and then type the proxy server name and port number (port 80
by default) in the corresponding boxes.
7. If you want to connect to the proxy server
by using specific user credentials, select the Use user
credentials to connect to the proxy server check box, and then type
the user name, domain, and password of the user in the corresponding boxes.
If you want to enable basic authentication for the user connecting to the
proxy server, select the Allow basic authentication (password
in cleartext) check box.
8. Click OK to save
these settings.
|
Next Step
Step 4:
Configure Updates and Synchronization
This section describes how to configure a set of updates
that you want to download by using Windows Server Update Services 3.0
Service Pack 2 (WSUS 3.0 SP2).
Step 4 Procedures
You can do these procedures by using either the WSUS
Configuration Wizard or the WSUS Administration Console.
1. Save and download information about your
upstream server and proxy server.
2. Choose the language of the updates.
3. Select the products for which you want to
receive updates.
4. Choose the classifications of updates.
5. Specify the synchronization schedule for this
server.
After you configure the network connection, you can download
updates by synchronizing the WSUS server. Synchronization begins when the WSUS
server contacts Microsoft Update. After the WSUS makes contact, WSUS determines
whether any new updates have been made available since the last time you
synchronized. When you synchronize the WSUS server for the first time, all the
updates are available and are ready for your approval for installation. The
initial synchronization may take a long time.
The procedures in this section describe synchronizing with
the default settings. WSUS 3.0 SP2 also includes options that enable you to
minimize bandwidth use during synchronization.
If You Are Using the Windows Server Update Services Configuration Wizard
In the step 3 procedures, you completed configuration of the
upstream server and the proxy server. This next set of procedures starts on the
Connect to Upstream Server page of that configuration
wizard.
1. On the Connect to Upstream Server page of
the configuration wizard, click the Start Connecting
button. This both saves and uploads your settings and collects information
about available updates.
2. While the connection is being made, the Stop Connecting button will be available. If there are
problems with the connection, click Stop Connecting,
fix the problems, and restart the connection.
3. After the download has completed
successfully, click Next.
|
1. The Choose Languages page lets you receive
updates from all languages or from a subset of languages. Selecting a subset
of languages will save disk space, but it is important to choose all of the
languages that will be needed by all the clients of this WSUS server.
If you choose to get updates only for specific
languages, select Download updates only in these languages,
and select the languages for which you want updates.
2. Click Next.
|
1. The Choose Products page lets you specify
the products for which you want updates. Select product categories, such as
Windows, or specific products, such as Windows Server 2008.
Selecting a product category will cause all the products in that category to
be selected.
2. Click Next.
|
1. The Choose Classifications page allows you
to specify the update classifications you want to obtain. Choose all the
classifications or a subset of them.
2. Click Next
|
1. On the Set Sync Schedule page, you choose
whether to perform synchronization manually or automatically.
If you choose Synchronize manually,
you must start the synchronization process from the WSUS Administration
Console.
If you choose Synchronize automatically,
the WSUS server will synchronize at set intervals. Set the time of the First synchronization and specify the number of Synchronizations per day that you want this server to
perform. For example, if you specify that there should be four
synchronizations per day, starting at 3:00 A.M., synchronizations will occur
at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M.
2. Click Next.
3. On the Finished page, you can start the
WSUS Administration Console by leaving the Launch the Windows
Server Update Services Administrations snap-in check box selected, and
you can start the first synchronization by leaving the Begin
initial synchronization check box selected.
4. Click Finish.
You cannot save configuration changes that are made
while the server is synchronizing. Wait until synchronization is finished and
then make your changes.
|
If You Are Using the WSUS Administration Console
The following procedures explain how to perform the
configuration steps by using the WSUS Administration Console.
1. In the Options panel,
click Products and Classifications. A dialog box appears
with Products and Classifications
tabs.
2. In the Products tab,
select the product category or specific products for which you want this
server to receive updates, or else select All Products.
3. In the Classifications
tab, select the update classifications you want, or else select All Classifications.
4. Click OK to save your
selections.
|
1. In the Options panel,
click Update Files and Languages. A dialog box appears
with Update Files and Update Languages
tabs.
2. In the Update Files
tab, choose whether to Store update files locally on this
server or to have all client computers install from Microsoft Update.
If you decide to store update files on this server, you also decide whether
to download only those updates that are approved or to download express
installation files.
3. In the Update Languages
tab, if you are storing update files locally, you choose to Download
updates for all languages (the default), or to Download
updates only in the specified languages. If this WSUS server has
downstream servers, they will receive updates only in the languages specified
by the upstream server.
4. Click OK to save
these settings.
|
1. In the Options panel,
click Synchronization Schedule.
2. In the Synchronization
Schedule tab, you choose whether to perform synchronization manually
or automatically.
If you choose Synchronize manually,
you will have to start the synchronization process from the WSUS
Administration Console.
If you choose Synchronize automatically,
the WSUS server will synchronize at set intervals. Set the time of the First synchronization and specify the number of Synchronizations per day that you want this server to
perform. For example, if you specify that there should be four synchronizations
per day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M.,
9:00 A.M., 3:00 P.M., and 9:00 P.M.
3. Click OK to save your
selections.
4. In the navigation pane of the WSUS
Administration Console, select Synchronizations.
5. Right-click or move to the Actions
pane on the right side, and then click Synchronize Now.
If you do not see the Actions pane
on the right side of the console, on the console toolbar click View, click Customize, and ensure that
the Action pane check box is selected.
6. After the synchronization is complete, in
the left panel, click Updates to view the list of
updates.
|
Next Step
Step 5:
Configure Client Updates
In Windows Server Update Services 3.0
(WSUS 3.0 SP2), the WSUS Setup automatically configures IIS to
distribute the latest version of Automatic Updates to each client computer that
contacts the WSUS server.
The best way to configure Automatic Updates depends on the
network environment. In an environment that uses Active Directory directory
service, you can use an existing domain–based Group Policy object (GPO) or
create a new GPO. In an environment without Active Directory, use the Local
GPO. In this step, you will configure Automatic Updates and then point the
client computers to the WSUS server.
The following procedures assume that your network runs
Active Directory. These procedures also assume that you are familiar with Group
Policy and use it to manage the network.
For more information about Group Policy, refer to the Group
Policy Tech Center Web site at http://go.microsoft.com/fwlink/?LinkID=47375.
Step 5 Procedures
In step 4, you completed configuration of the updates that
you want to download. Use this set of procedures to configure automatic updates
for client computers.
1. Configure Automatic Updates in Group Policy.
2. Point a client computer to the WSUS server.
3. Manually start detection by the WSUS server.
Perform the first two
procedures on the domain–based GPO of your choice, and the third procedure at a
command prompt on the client computer.
1. In the Group Policy Management Console
(GPMC), browse to the GPO on which you want to configure WSUS, and then click
Edit.
2. In the GPMC, expand Computer
Configuration, expand Administrative Templates,
expand Windows Components, and then click Windows Update.
3. In the details pane, double-click Configure Automatic Updates.
4. Click Enabled, and
then click one of the following options:
· Notify for download and notify for install. This option
notifies a logged-on administrative user before the download and before you
install the updates.
· Auto download and notify for install. This option
automatically begins downloading updates and then notifies a logged-on
administrative user before installing the updates.
· Auto download and schedule the install. This option
automatically begins downloading updates and then installs the updates on the
day and time that you specify.
· Allow local admin to choose setting. This option lets local
administrators to use Automatic Updates in Control Panel to select a
configuration option. For example, they can choose their own scheduled
installation time. Local administrators cannot disable Automatic Updates.
5. Click OK.
|
1. In the Windows Update
details pane, double-click Specify intranet Microsoft update
service location.
2. Click Enabled, and
type the HTTP URL of the same WSUS server in the Set the
intranet update service for detecting updates box and in the Set the intranet statistics server box. For example, type http://servername in both boxes, and then click OK.
|
If you are using the Local GPO to point the computer to
WSUS, this setting takes effect immediately, and this computer appears in the
WSUS Administrative Console after a short time. You can speed up this process
by manually initiating a detection cycle.
After you set up a client computer, it will take several
minutes before the computer appears on the Computers page
in the WSUS Administration Console. For client computers configured with a
domain-based Group Policy, it can take about 20 minutes after Group Policy
refreshes (that is, applies any new policy settings to the client computer). By
default, Group Policy updates in the background every 90 minutes, with a random
offset of 0–30 minutes. If you want to update Group Policy sooner, you can go
to a command prompt on the client computer and type gpupdate /force.
For client computers configured by using the Local GPO,
Group Policy is applied immediately, and the update takes about 20 minutes.
If you begin detection manually, you do not have to wait 20
minutes for the client computer to contact WSUS.
1. On the client computer, click Start, and then click Run.
2. Type cmd
in the Open box, and then click OK.
3. At the command prompt, type wuauclt.exe /detectnow. This
command-line option instructs Automatic Updates to contact the WSUS server
immediately.
|
Next Step
Step 6:
Configure Computer Groups
Computer groups are an important part of
Windows Server Update Services 3.0 Service Pack 2
(WSUS 3.0 SP2) deployments. Computer groups permit you to test
updates and target updates to specific computers. There are two default
computer groups: All Computers and Unassigned Computers. By default, when each
client computer first contacts the WSUS Server, the server adds that client
computer to both of these groups.
You can create as many custom computer groups as you need to
manage updates in your organization. As a best practice, create at least one
computer group to test updates before you deploy them to other computers in
your organization.
Step 6 Procedures
1. Create a test computer group.
2. Move at least one computer into the test
group.
1. In the WSUS Administration Console, expand Computers and select All Computers.
2. Right-click All Computers
and click Add Computer Group.
3. In the Add Computer Group
dialog box, specify the Name of the new test group and
click Add.
|
In the next procedure, you will assign a client computer to
the test group. A test computer is any computer that has software and hardware
that is consistent with the majority of client computers on the network, yet
not assigned to a critical role. After your tests are successful, you can
approve the updates for computers in the groups of your choice.
1. In the WSUS Administration Console, click Computers.
2. Click the group of the computer that you
want to assign to the test group.
3. In the list of computers, select the
computer or computers that you want to assign to the test group.
4. Right-click Change
Membership.
5. In the Set Computer Group
Membership dialog box, select the test group that you created
previously, and then click OK.
|
Repeat these two procedures, that is, create a group and
then assign computer(s) to the group, to create as many additional computer
groups as needed to manage updates at your site.
Next Step
Step 7: Approve
and Deploy WSUS Updates
In this step, you approve an update for any computers in the
test group for Windows Server Update Services 3.0
Service Pack 2 (WSUS 3.0 SP2). Computers in the group
automatically contact the WSUS server over the next 24 hours to obtain the
update. You can use the WSUS reporting feature to determine whether those
updates were deployed to the test computers. When the tests are successfully
completed, you can then approve the updates for the applicable computer groups
in your organization.
Step 7 Procedures
· Approve
and deploy an update.
· Check
the status of an update.
1. On the WSUS Administration Console, click Updates. An update status summary is displayed for All Updates, Critical Updates, Security Updates, and WSUS Updates.
2. In the All Updates
section, click Updates needed by computers.
3. On the list of updates, select the updates
that you want to approve for installation on your test computer group.
Information about a selected update is available in the bottom pane of the
Updates panel. To select multiple contiguous updates, hold down the SHIFT key while clicking updates; to select multiple
noncontiguous updates, press down the CTRL key while
clicking updates.
4. Right-click the selection and click Approve.
5. In the Approve Updates
dialog box, select your test group, and then click the down arrow.
6. Click Approved for Install
and then click OK.
7. The Approval Progress window appears which
shows progress of the tasks that affect update approval. When approval is completed,
click Close.
|
After 24 hours, you can use the WSUS Reports feature to
determine whether the updates were deployed to the test group computers.
1. In the navigation pane of the WSUS
Administration Console, click Reports.
2. On the Reports page,
click the Update Status Summary report. The Updates Report window appears.
3. If you want to filter the list of updates,
select the criteria that you want to use, for example, Include
updates in these classifications, and then click Run
Report on the window's toolbar.
4. You will see the Updates
Report pane. You can check the status of individual updates by
selecting the update in the left section of the pane. The last section of the
report pane shows the status summary of the update.
5. You can save or print this report by
clicking the applicable icon on the toolbar.
6. After you test the updates, you can approve
the updates for installation on the applicable computer groups in your
organization.
|
No comments:
Post a Comment