Key Considerations for WSUS 6.2 on Windows Server 2012 R2

Thursday May 21st 2015 by Nirmal Sharma
Share:

Get up to speed with our handy list of tips and tricks for painlessly installing and operating a Windows Server Update Services server.

WSUS, sometimes referred to as Windows Server Update Services, enables enterprise administrators to manage and distribute critical and important updates to Windows computers. A WSUS Server can be configured to pull updates from Microsoft Update Servers or from a root WSUS Server configured in an organization network.

A WSUS Server that is configured in an organization's network as an update source is always called an Upstream Server. Windows Server Tutorials All other WSUS Servers that are configured to talk to upstream WSUS Server are called downstream WSUS servers.

Generally, downstream WSUS servers are located on the branch locations and become the authoritative source for distributing updates to Windows client computers.

Do I need to download WSUS from Microsoft's Site?

In earlier versions of Windows, you had to download WSUS software directly from Microsoft's site. But in Windows Server 2012 and later versions, WSUS ships as a server role and can be installed from the Server Manager.

WSUS on Windows Server 2012 R2 includes Windows PowerShell cmdlets that can be used to manage WSUS administrative or repeated tasks from a command prompt. Before you prepare to install WSUS Server on a Windows Server 2012 or later operating system, make sure to first install .NET Framework 4.0. It is also important to note that the account you plan to use to install WSUS Server must be a member of the local Administrators group on the server where the WSUS Server role is installed.

What all Network Ports are used by WSUS?

There are two types of WSUS communication occurring: communication between upstream and downstream WSUS Servers and communication from upstream WSUS Servers to Microsoft Update Servers. Microsoft changed the way WSUS Servers used to communicate with each other in WSUS 6.2 on Windows Server 2012.

In earlier versions or WSUS version 3.2, downstream WSUS Servers used to connect to upstream WSUS Servers over network port 80 (HTTP) and 443 (HTTPS). In WSUS 6.2, this has been changed.

Upstream and downstream WSUS Servers now communicate over port 8530 for HTTP and Port 8531 for HTTPS. In case you have a firewall configured on the WSUS Servers, make sure to allow inbound traffic on the above mentioned ports in order for WSUS Servers to communicate with each other successfully.

As for communication between upstream WSUS Servers and Microsoft Update Servers, communication takes place over network ports 80 for HTTP and 443 for HTTPS. In case you have a proxy server on the network, you might want to change WSUS to use the proxy server.

And in cases where your corporate policy does not allow HTTP and HTTPS traffic for all sites, make sure to configure your firewall to allow HTTP and HTTPS network traffic for the following Microsoft Update URLs:

  • http://windowsupdate.microsoft.com

  • http://*.windowsupdate.microsoft.com

  • https://*.windowsupdate.microsoft.com

  • http://*.update.microsoft.com

  • https://*.update.microsoft.com

  • http://*.windowsupdate.com

  • http://download.windowsupdate.com

  • http://download.microsoft.com

  • http://*.download.windowsupdate.com

  • http://wustat.windows.com

  • http://ntservicepack.microsoft.com

Next Page: What database options are available with WSUS?

Recommended for You







Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He has specialized in Microsoft Technologies since 1994 and has followed the progression of Microsoft Operating System and software. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Solution IDs for www.Dynamic-SpotAction.com. Nirmal can be reached at nirmal_sharma@mvps.org.

Follow ServerWatch on Twitter and on Facebook

Next Page: What database options are available with WSUS?

Prev Page: Key Considerations for WSUS 6.2

What database options are available with WSUS?

WSUS requires a database to store update metadata and configuration information. WSUS can use one of the following databases: Windows Internal Database (WID) or Microsoft SQL Server database.

Windows Internal Database ships with the Windows operating system, and there are no additional license costs associated with it. Most organizations opt to use the Windows Internal Database to help reduce licensing costs, but it is important to note that WID will not work when installing WSUS Server in a load balancing/high availability scenario. As a result, you must choose the SQL Server database option when installing WSUS Server in a load balancing/high availability scenario.

In case you are planning to install a WSUS role on a computer that is separate from the database computer, take note of the following points:

  • The database server must not be configured on a domain controller.

  • Remote Desktop Services role must not be installed on the computer where the WSUS Server role is installed.

  • In case database and WSUS servers are in a different Active Directory domain, make sure you have a trust relationship between both the Active Directory domains.

Can WSUS Server traffic be load balanced?

In a large production environment, you will always set up WSUS on a Network Load Balancing cluster to increase the reliability and performance of WSUS Servers. If you want to set up WSUS in an NLB cluster, WSUS Server must be installed using the Microsoft SQL Database option.

It is important to note that updates that are stored locally on the WSUS Server must be available to all WSUS Servers that are sharing the same SQL database.

Is it necessary to connect WSUS to the internet to get updates from Microsoft Update Servers?

A WSUS Server can be configured in an offline mode. Generally, these WSUS Servers are called Disconnected WSUS Servers. In cases where a WSUS cannot connect to Internet to obtain updates directly from Microsoft Update Servers due to some corporate Internet policies, an offline WSUS Server can be installed.

After downloading and testing updates on a WSUS Server that is connected to the Internet, administrators can export the content to an external hard disk and then import the contents to the WSUS Servers running in disconnected mode.

How many WSUS PowerShell cmdlets are available?

There are about 12 PowerShell cmdlets that are installed as part of a WSUS Server role installation. These PowerShell cmdlets are very helpful when you want to perform WSUS administrative or repeated tasks from a command prompt.

For example, you can use the Approve-WsusUpdate cmdlet to approve updates to be applied to client computers. Similarly, if you encounter a situation where you need to decline all the updates, you can use the Deny-WsusUpdate PowerShell cmdlet. As an example, the following command approves all updates that are unapproved with a status of failed or needed.

  • Get-WsusUpdate -Classification All -Approval Unapproved -Status FailedOrNeeded | Approve-WsusUpdate -Action Install -TargetGroupName "All Computers"

And to decline all updates, run the command below:

  • Get-WsusUpdate -Classification All -Approval Unapproved -Status FailedOrNeeded | Deny-WsusUpdate

Recommended for You







Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He has specialized in Microsoft Technologies since 1994 and has followed the progression of Microsoft Operating System and software. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Solution IDs for www.Dynamic-SpotAction.com. Nirmal can be reached at nirmal_sharma@mvps.org.

Follow ServerWatch on Twitter and on Facebook

Prev Page: Key Considerations for WSUS 6.2

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved