Home
.. About WSUS Wiki

WSUS
.. WSUS FAQ
.. WSUS on SBS
.. WSUS Troubleshooting
.. WSUS News Groups
.. Known WSUS Issues
.. WSUS Links
.. WSUS Wish List

WSUS Documents
.. WSUS Deployment Guide
.. WSUS Installation Guide
.. WSUS Release Notes
.. WSUS Best Practice

SUS
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues

WSUS offers several configuration options that enable administrators to fit the product into their unique environment. Examples include server chaining, replicas, and offline updates. All of these topics are discussed at great length in the WSUS Deployment Guide. However, if your timeline doesn’t allow you to read a 140+ page guide prior to deployment, pursue the following article to understand key WSUS design components.

Building Blocks for Advanced Deployments

The components discussed in this document are mainly applicable for advanced WSUS deployments. Advanced deployments include distributed administrative environments, branch office networks, and bandwidth-sensitive links. If you have a relatively small network with 100 or fewer PCs, you can get by with a single server WSUS install.

Chaining

A distributed network often calls for multiple WSUS servers configured in something called a server chain. If you have two or more locations with 50+ PCs and servers separated by a WAN link, you may want to think about deploying local WSUS servers at each location. Server chains enable one WSUS server to synchronize with Microsoft Update over the Internet, and then relay those updates to additional downstream WSUS servers without incurring further Internet traffic.

Benefits of Chaining

• Only one server needs Internet connectivity to Microsoft Update to download updates/patches and metadata. Note: Metadata is simply information that describes the scope of the update/patch, such as which systems it applies to, etc.
• Downstream servers (those not communicating with Microsoft Update) can be administered autonomously from the upstream server. For instance, they can build their own computer groups, approve their own updates, etc. This is good if you have IT administrators at each location who want/need the ability to customize their local WSUS server.
• Chaining can be enabled or disabled at any time, providing flexibility for evolving networks. The option to enable chaining is a simple check box on the WSUS Synchronization Options Administration page.

Chaining Caveats

• Best practices recommend only three levels of nesting. This means if you need 20 WSUS servers you don’t want to chain them all together. Instead, create a hub and spoke design.
• All members of the chain must use the same storage option. For instance, if you choose the option to maintain updates locally on the master chain server, then all downstream servers will also store their updates locally.
• All members of the chain must use the same download options. If the master chain server is configured to only download updates after they have been approved, the downstream servers will mirror this setting as well.
• All members of the chain must use the same product filtering options. For instance, if the master chain server is configured to only download updates for Windows and Office (but not Exchange) then the downstream servers will only have these updates to choose from.

Replicas

Another option for advanced deployments is replica mode. Much like WSUS server chains, replica servers inherit settings and updates from their upstream master server. However, unlike server chains, replica servers are designed for environments where a central administrator controls computer groups and update approval for the entire enterprise.

The only information that isn’t synchronized between the master server and its replica servers is the content of the computer groups themselves. For instance, an administrator might create four computer groups on the master server named Branch A through Branch D. While all replica servers will receive these group names, they will not contain any members. The idea behind this design is that the WSUS administrator will create enough computer groups to cover the entire enterprise. Then, a WSUS replica server at a branch office will add the local PCs and servers to a group (say, Branch B) and the centrally approved patches for that group will be installed. It sounds complicated, but it really isn’t once you get wrap your brain around it. For more detailed information on replicas, refer to the WSUS Deployment Guide.

Offline Updates

If your environment demands a network segment be disconnected from the Internet, or disconnected from the rest of your network altogether, don’t think you need to resort to the “sneaker net” method of patch distribution. Simply build a stand-alone WSUS server and import updates from removable media such as tape or DVD-ROM.

The process of exporting the updates from an Internet-connected server, and then importing them into your disconnected one is well documented in the WSUS Deployment Guide. However, here are the steps at a high level to give you an idea of the process.

1. Build your stand-alone WSUS server and configure its language and express installation options to match that of the Internet-connected WSUS server that will provide updates.

2. Copy the update content directory from the Internet-connected WSUS server to removable media. Remember that this content directory may be quite large (multi-gigabytes) so you may need to resort to tape, dual-layer DVD, or external USB hard drive.

3. Export and copy the update metadata from the Internet-connected WUS server’s database to removable media.

4. Copy the update content from removable media onto the disconnected WSUS server.

5. Import the update metadata from removable media into the disconnected WUS server’s database.

Again, please refer to the documentation for full export/import procedures, including command-line tool options and correct file system paths to back up.

Conclusion

I hope that this article has armed you with enough information to begin planning your advanced WSUS deployment. WSUS is a very flexible tool that builds upon the foundation of SUS and the Automatic Updates client. Proper design and implementation will ensure your enterprise is well prepared to distribute Microsoft updates.