I was going to write this down for a while and finally i've got so far :) ...
there are numerous reasons to have multiple WSUS servers in your organization, where the most logical is to spread load and provide high availability of WSUS infrastructure:
and in both cases you've got strong HA requirementsthere are numerous reasons to have multiple WSUS servers in your organization, where the most logical is to spread load and provide high availability of WSUS infrastructure:
- when you are running SCCM 2012 SP1 (or higher)
- when you've got complex WSUS hierarchy
This blog post Yvette OMeally provides in-depth coverage of changes that were made in SCCM 2012 service pack 1 to optimize Software Update Point functionality. Basically you can now have multiple SCCM SUP's that can be load-balanced automagically.
It always looks cool and wonderful in documentation and marketing booklets, but it is however not as simple as it seems to get it up and running, isn't it?
side note - the WSUS servers installed in this blog post are meant for production SCCM 2012 R2 site with multiple SUP's.
For my recent customer i needed to deploy a relatively small SCCM 2012 R2 single site hierarchy that must be made as available as possible. And yes, one of the aspects is to configure HA SUP's, which implies using redundant WSUS servers running with shared SQL database and shared content location.
Well... let's set it up :D
Short build info:
the environment is built on Windows Server 2012 R2 with latest patch level up to the article's publishing date. SCCM and WSUS are using Microsoft SQL 2012 sp1 cu6
Assumptions:
- you've got AD fully configured and functioning
- you've got properly installed and configured Microsoft SQL server with KERBEROS authentication
- you've got properly configured DFS namespace to host WSUS content share
- WSUS content share is configured to provide all read/write acces for the computer accounts that will be running WSUS.
Installation
install first WSUS server
instal WSUS role from server manager
select WSUS service and WSUS database
configure content share
configure database
provide the name of you DB server
run post installation configuration
if this pop-up appears check database and share configuration and click on OK
in a few minutes WSUS configuration wizard will appear. when installing WSUS for SCCM this wizard may be omitted.
we'll proceed through the WSUS config to show it's working ;)
in the wizard i've configured WSUS to synchronize only critical updates for Windows Server 2012 R2
go to sync tab in WSUS console and run sync again
now we see that sync is working...
lets configure some additional settings to get the second, the third (and so on) WSUS servers working...
configure first server:
on the first WSUS server stop IIS, WSUS and Windows Update service (if it is running)
net stop W3SVC && net stop WsusService && net stop wuauserv
open IIS management and go to "Content" virtual directory of "WSUS Administration"site
modify path the "Content" virtual directory is pointing to by adding preceding "\\" to it.
start the services again
net start W3SVC && net start WsusService && net start wuauserv
configure the SQL server:
WSUS post-setup config has created necessary SQL login and SUSDB user for the first server.
before installin any additional WSUS server we have to manually add SQL login and configure SUSDB user for the second WSUS server (and for 3d, 4th ...)
connect from SQL studio to the SQL instance hosting SUSDB and create SQL login for the computer account of the second WSUS server
enter server name manually like for example AD\WSUS2$, do not click on "browse"
map it to the SUSDB
go to Databases -> SUSDB -> Security -> Users and modify just created user propertis by adding webservice to its mebership
Install WSUS on the second server
instal WSUS role from server manager
select only WSUS service
configure content share
stop IIS, WSUS and Windows Update service (if it is running)
net stop W3SVC && net stop WsusService && net stop wuauserv
start REGEDIT and go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup
Modify the following keys:
ContentDir = \\ad.local\Infra\Software\WSUS
SqlServerName = database01
HINT - to avoind faults, just copy and paste values of these two kees from the first server ;)
open IIS management and configure path of the "Content" virtual directory to to point to the location specified in ContentDir reg key (just the same way we did it for the first server)
enable WSUS service (it might be still disabled as post-install configuration hasn't been run yet)
start IIS and WSUS services
start WSUS management console
if you get the window with share configuration, check the share location and click on OK. in a few minutes it should tell that config was successful
now that console has opened we'll go to synchronization tab and see our two sync's we've previously seen on the first WSUS server.
additionally you can run the following query on the SUSDB SQL and you'll see that both WSUS servers are talking to the database
SQL query (watch out for the right quotation marks around database name!)
select d.name, d.dbid, spid, login_time, nt_domain, nt_username, loginame
from sysprocesses p inner join sysdatabases d on p.dbid = d.dbid
where d.name = 'SUSDB'
go
and we are done :D
P.S. you can simplify your life by not using shared content location if you don't have to.
about shared content location:
there is currently no official Microsoft documentation available on TechNet regarding support for shared content location for WSUS 6.x servers.
actually there is nothing documented at all about it, except for WSUS 3.0 spX where is stated that shared content location is only supported when placed on DFS.
References:
Software Update Points in Configuration Manager Service Pack 1
Best Practices for Software Updates in Configuration Manager
Considerations for multiple WSUS instances sharing a content database when using System Center Configuration Manager, but without Network Load Balancing (NLB)
Configuring WSUS 6.x for Network Load Balancing (NLB)
Configure WSUS for Network Load Balancing
A TechNet forum thread about shared WSUS content
With this configuration, can I configure NLB on it?
ReplyDeletesure you can.
DeleteI am trying to configure this;
ReplyDeleteNot using DFS but sharing WSUS folder which is on the upstream server (this should be ok I guess as the updates its-self will be pushed from DP)
****** I am a bit confused about UpdateServices-Database registry key. One of the downstream server(which is an SCCM Site system server) reg value is set to 2. On the other WSUS downstream servers this reg key does not exist.
Should this value exist on the downstream server?
i suspect you mean the value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\Installed Role Services
ReplyDeletei can't verify it on multy WSUS environment, however I think this key shows which components were installed on the server. the difference is probably because you've installed WSUS DB only while installing the 1-st server, which sounds quite logical.