Wednesday, September 24, 2014

running multiple WSUS servers with shared database and central content share

I was going to write this down for a while and finally i've got so far :) ...

there are numerous reasons to have multiple WSUS servers in your organization, where the most logical is to spread load and provide high availability of WSUS infrastructure:
  • when you are running SCCM 2012 SP1 (or higher)
  • when you've got complex WSUS hierarchy
and in both cases you've got strong HA requirements

This blog post Yvette OMeally provides in-depth coverage of changes that were made in SCCM 2012 service pack 1 to optimize Software Update Point functionality. Basically you can now have multiple SCCM SUP's that can be load-balanced automagically.

It always looks cool and wonderful in documentation and marketing booklets, but it is however not as simple as it seems to get it up and running, isn't it?

side note - the WSUS servers installed in this blog post are meant for production SCCM 2012 R2 site with multiple SUP's.


For my recent customer i needed to deploy a relatively small SCCM 2012 R2 single site hierarchy that must be made as available as possible. And yes, one of the aspects is to configure HA SUP's, which implies using redundant WSUS servers running with shared SQL database and shared content location.

Well... let's set it up :D

Short build info:
the environment is built on Windows Server 2012 R2 with latest patch level up to the article's publishing date. SCCM and WSUS are using Microsoft SQL 2012 sp1 cu6

Assumptions:
  • you've got AD fully configured and functioning
  • you've got properly installed and configured Microsoft SQL server with KERBEROS authentication
  • you've got properly configured DFS namespace to host WSUS content share
  • WSUS content share is configured to provide all read/write acces for the computer accounts that will be running WSUS.

Installation

install first WSUS server

instal WSUS role from server manager
select WSUS service and WSUS database

configure content share


configure database

provide the name of you DB server

run post installation configuration

if this pop-up appears check database and share configuration and click on OK



in a few minutes WSUS configuration wizard will appear. when installing WSUS for SCCM this wizard may be omitted.
we'll proceed through the WSUS config to show it's working ;)
in the wizard i've configured WSUS to synchronize only critical updates for Windows Server 2012 R2

go to sync tab in WSUS console and run sync again

now we see that sync is working...

lets configure some additional settings to get the second, the third (and so on) WSUS servers working...

configure first server:
on the first WSUS server stop IIS, WSUS and Windows Update service (if it is running)
net stop W3SVC && net stop WsusService && net stop wuauserv

open IIS management and go to "Content" virtual directory of "WSUS Administration"site

modify path the "Content" virtual directory is pointing to by adding preceding "\\" to it.



start the services again
net start W3SVC && net start WsusService && net start wuauserv

configure the SQL server:
WSUS post-setup config has created necessary SQL login and SUSDB user for the first server.


before installin any additional WSUS server we have to manually add SQL login and configure SUSDB user for the second WSUS server (and for 3d, 4th ...)

connect from SQL studio to the SQL instance hosting SUSDB and create SQL login for the computer account of the second WSUS server

enter server name manually like for example AD\WSUS2$, do not click on "browse"


map it to the SUSDB

go to Databases -> SUSDB -> Security -> Users and modify just created user propertis by adding webservice to its mebership


 
Install WSUS on the second server


instal WSUS role from server manager
select only WSUS service


configure content share


stop IIS, WSUS and Windows Update service (if it is running)
net stop W3SVC && net stop WsusService && net stop wuauserv

start REGEDIT and go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup

Modify the following keys: 
ContentDir = \\ad.local\Infra\Software\WSUS
SqlServerName = database01
HINT - to avoind faults, just copy and paste values of these two kees from the first server ;)

open IIS management and configure path of the "Content" virtual directory to to point to the location specified in ContentDir reg key (just the same way we did it for the first server)

enable WSUS service (it might be still disabled as post-install configuration hasn't been run yet)

start IIS and WSUS services

start WSUS management console

if you get the window with share configuration, check the share location and click on OK. in a few minutes it should tell that config was successful


now that console has opened we'll go to synchronization tab and see our two sync's we've previously seen on the first WSUS server.

additionally you can run the following query on the SUSDB SQL and you'll see that both WSUS servers are talking to the database

SQL query (watch out for the right quotation marks around database name!)
select d.name, d.dbid, spid, login_time, nt_domain, nt_username, loginame
from sysprocesses p inner join sysdatabases d on p.dbid = d.dbid
where d.name = 'SUSDB'
go

 

and we are done :D

P.S. you can simplify your life by not using shared content location if you don't have to.

about shared content location:
there is currently no official Microsoft documentation available on TechNet regarding support for shared content location for WSUS 6.x servers.
actually there is nothing documented at all about it, except for WSUS 3.0 spX where is stated that shared content location is only supported when placed on DFS.

References:
Software Update Points in Configuration Manager Service Pack 1 
Best Practices for Software Updates in Configuration Manager
Considerations for multiple WSUS instances sharing a content database when using System Center Configuration Manager, but without Network Load Balancing (NLB)
Configuring WSUS 6.x for Network Load Balancing (NLB)
Configure WSUS for Network Load Balancing 
A TechNet forum thread about shared WSUS content

4 comments:

  1. With this configuration, can I configure NLB on it?

    ReplyDelete
  2. I am trying to configure this;
    Not using DFS but sharing WSUS folder which is on the upstream server (this should be ok I guess as the updates its-self will be pushed from DP)
    ****** I am a bit confused about UpdateServices-Database registry key. One of the downstream server(which is an SCCM Site system server) reg value is set to 2. On the other WSUS downstream servers this reg key does not exist.

    Should this value exist on the downstream server?

    ReplyDelete
  3. i suspect you mean the value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\Installed Role Services
    i can't verify it on multy WSUS environment, however I think this key shows which components were installed on the server. the difference is probably because you've installed WSUS DB only while installing the 1-st server, which sounds quite logical.

    ReplyDelete