Initial synchronization can take over an hour. All synchronizations after that should be significantly quicker. If there is a corporate firewall between your network and the Internet, you will have to open these ports on the server that communicates directly to Microsoft Update. If you are planning to use custom ports for this communication, you must open those ports instead. Administrators can deploy multiple servers running WSUS that synchronize all content within their organization's intranet.
You might expose only one server to the Internet, which would be the only server that downloads updates from Microsoft Update. This server is set up as the upstream server the source to which the downstream servers synchronize. When applicable, servers can be located throughout a geographically dispersed network to provide the best connectivity to all client computers. If corporate policy or other conditions limit computer access to the Internet, administrators can set up an internal server to run WSUS.
An example of this is a server that is connected to the intranet but is isolated from the Internet. After downloading, testing, and approving the updates on this server, an administrator would export the update metadata and content to a DVD. You can create complex hierarchies of WSUS servers.
A WSUS server hierarchy deployment offers the following benefits:. You can download updates one time from the Internet and then distribute the updates to client computers by using downstream servers. This method saves bandwidth on the corporate Internet connection. You can download updates to a WSUS server that is physically closer to the client computers, for example, in branch offices. You can set up separate WSUS servers to serve client computers that use different languages of Microsoft products.
We recommend that you do not create a WSUS server hierarchy that is more than three levels deep. Each level adds time to propagate updates throughout the connected servers. Although there is no theoretical limit to a hierarchy, only deployments that have a hierarchy of five levels deep have been tested by Microsoft. Also, downstream servers must be at the same version or an earlier version of WSUS as the upstream server synchronization source.
You can connect WSUS servers in Autonomous mode to achieve distributed administration or in Replica mode to achieve centralized administration. You do not have to deploy a server hierarchy that uses only one mode: you can deploy a WSUS solution that uses both autonomous and replica WSUS servers.
The Autonomous mode, also called distributed administration, is the default installation option for WSUS. In Autonomous mode, an upstream WSUS server shares updates with downstream servers during synchronization. Downstream WSUS servers are administered separately, and they do not receive update approval status or computer group information from the upstream server. By using the distributed management model, each WSUS server administrator selects update languages, creates computer groups, assigns computers to groups, tests and approves updates, and makes sure that the correct updates are installed to the appropriate computer groups.
The Replica mode, also called centralized administration, works by having an upstream WSUS server that shares updates, approval status, and computer groups with downstream servers.
Replica servers inherit update approvals and are not administered separately from the upstream WSUS server. If you set up several replica servers to connect to a single upstream WSUS server, do not schedule synchronization to run at the same time on each replica server. This practice will avoid sudden surges in bandwidth usage. This type of deployment offers the following advantages:. To enable BranchCache acceleration of content that is served by the WSUS server, install the BranchCache feature on the server and the clients, and ensure that the BranchCache service has started.
No other steps are necessary. In branch offices that have low-bandwidth connections to the central office but high-bandwidth connections to the Internet, the Branch Office feature can also be used.
In this case you may want to configure downstream WSUS servers to get information about which updates to install from the central WSUS server, but download the updates from Microsoft Update. You need only setup each WSUS server, keeping the following considerations in mind. WSUS setup must be done in serial.
Postinstall tasks cannot be run on more than one server at the same time when sharing the same SQL database. If the network includes mobile users who log on to the network from different locations, you can configure WSUS to let roaming users update their client computers from the WSUS server that is closest to them geographically.
Before you install WSUS, you should decide how you want to implement storage. Updates are composed of two parts: metadata that describes the update, and the files that are required to install the update. Update metadata is typically much smaller than the actual update, and it is stored in the WSUS database. For a list of supported databases and remote database limitations, see section 1.
A single-server configuration can support several thousand WSUS client computers. Do not attempt to manage WSUS by accessing the database directly. The corruption might not be immediately obvious, but it can prevent upgrades to the next version of the product.
WSUS supports Windows authentication only for the database. The name of this database is not configurable. The organization has not already purchased and does not require a SQL Server product for any other application. You intend to deploy multiple WSUS servers for example, in branch offices. Windows Internal Database does not provide a user interface or any database management tools.
If you select this database for WSUS, you must use external tools to manage the database. For more information, see:. Reindex the WSUS database. WSUS supports Windows authentication only. When updates are synchronized to your WSUS server, the metadata and update files are stored in two separate locations. My WSUS has been running for years without ever having maintenance done and the cleanup wizard keeps timing out once, which would allow subsequent attempts from Configuration Manager to run successfully.
In that case, reindex with step 2 and step 3 first, then run the cleanup with only the Unused updates and update revisions option checked. If you have never run WSUS Cleanup wizard, running the cleanup with Unused updates and update revisions may require a few passes. If it times out, run it again until it completes, and then run each of the other options one at a time. Lastly make a full pass with all options checked.
My WSUS has been running for years without ever having maintenance done and the cleanup wizard keeps timing out. It is located under Options , as shown here:. For more information, see Use the Server Cleanup Wizard.
After it reports the number of items it has removed, the cleanup finishes. If you do not see this information returned on your WSUS server, it is safe to assume that the cleanup timed out. In that case, you will need to start it again or use the SQL alternative.
Reinstall WSUS with a fresh database. There are a number of caveats related to this, including length of initial sync, and full client scans against SUSDB, versus differential scans. After it finishes, follow all of the above instructions for running maintenance. This last step is necessary because the spDeleteUpdate stored procedure only removes unused updates and update revisions.
Before you run the script, follow the steps in The spDeleteUpdate stored procedure runs slowly to improve the performance of the execution of spDeleteUpdate. Make a note of this setting. Run the following query. If this is set to expire immediately, the value in the SQL query for thresholdDays should be set to zero. To check progress, monitor the Messages tab in the Results pane.
If you decide you need one of these declined updates in Configuration Manager, you can get it back in WSUS by right-clicking the update, and selecting Approve. If the update is no longer in WSUS, it can be imported from the Microsoft Update Catalog, if it hasn't been expired or removed from the catalog.
If you are using Configuration Manager version or a later version, automate the cleanup procedures by enabling the WSUS Maintenance options in the software update point configuration of the top-level site.
However, you should still automatically back up and reindex the WSUS database on a schedule. If you have never run WSUS cleanup, you need to do the first two cleanups manually. Your second manual cleanup should be run 30 days from your first since it takes 30 days for some updates and update revisions to age out. There are specific reasons for why you don't want to automate until after your second cleanup. Your first cleanup will probably run longer than normal. So you can't judge how long this maintenance will normally take.
The second cleanup is a much better indicator of what is normal for your machines. This is important because you need to figure out about how long each step takes as a baseline I also like to add about minutes wiggle room so that you can determine the timing for your schedule.
If you have downstream WSUS servers, you will need to perform maintenance on them first, and then do the upstream servers. If you do, it's possible your downstream servers will just end up resyncing all of the updates you just attempted to clean out.
I schedule this overnight before my AM sync, so I have time to check on it before my sync runs. As mentioned previously, if you are using Configuration Manager current branch version or a later version, automate the cleanup procedures by enabling the WSUS Maintenance options in the software update point configuration of the top-level site.
The Weekend Scripter blog post mentioned in the previous section contains basic directions and troubleshooting for this step.
However, I'll walk you through the process in the following steps. Open Task Scheduler and select Create a Task. On the General tab, set the name of the task, the user that you want to run the PowerShell script as most people use a service account.
Select Run whether a user is logged on or not , and then add a description if you wish. The minimum hardware requirements for WSUS are:. NET Framework 4. If an installed role or software update requires you to restart the server after the installation is complete, you need to restart the server before enabling the WSUS server role. If you want to learn how to install WSUS, continue to read this part. Step 1: Log on to the Windows server on which you plan to install the WSUS server role using an account that is a member of the Local Administrators group.
Then, click Next. Step 3: In the Select installation type page, select Role-based or feature-based installation option.
You can check the status of individual updates by selecting the update in the left section of the pane. The last section of the report pane shows the status summary of the update. After you test the updates, you can approve the updates for installation on the applicable computer groups in your organization.
Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Submit and view feedback for This product This page.
0コメント