SolutionBase: Installing and configuring Windows Server Update Services

Keeping the operating systems on your workstations and network servers is vital. Managing all of the updates, however, can be a nightmare--especially in large organization. You can centralize the updating process by using Windows Server Update Services. Here's how it works.

Windows Server Updates Services provides a solution for businesses that need to deploy updates on the network. It provides administrators with a finer granularity of control when it comes to installing updates on servers and workstations throughout the network. Keeping your servers and workstations up to date with the latest fixes is vital. Here's how Windows Server Update Services can help.

Author's Note

In this article, I will outline the steps you need to complete in order to install and configure Windows Server Update Services on a computer running Microsoft Windows Server 2003. This article assumes you are familiar with Windows Update and Automatic Updates.

Windows Server Update Services

There are many benefits to using WSUS for deploying updates. One such benefit is that it gives administrators an opportunity to download updates to a specific server on the network and use them within a test environment before approving them for installation in the production environment. If you have ever installed updates, you are probably aware that installing them does not always produce positive results. So this gives administrators a chance to install the update before they are installed on production servers and workstations.

There are two different components to a software update infrastructure that uses WSUS. You have at least one server on the network running SUS and you have your automatic update clients as outlined below.

  • Windows Server Update Services server
    This component is installed on a computer running Windows 2000 or Windows Server 2003. Whenever updates are available on the Windows Update Site, the WSUS server can automatically download them (or they can be downloaded manually by an administrator). The updates can then be tested, published for users, and installed on workstations configured to use WSUS.
  • Automatic Update Clients
    This component is installed on all servers and workstations running Windows Server 2003, Windows 2000, and Windows XP so they can connect to the server on the internal network running WSUS.

Pre-installation tasks

Before you attempt to install WSUS on a server, there are some pre-installation tasks that you need to be completed. This will ensure that the server meets all the configuration requirements needed to install WSUS.

Disk requirements

The system partition and the partition that WSUS will be installed on must both be formatted with NTFS. The system partition requires at least 1 GB of free space and the volume that will be used to store WSUS content requires a minimum of 6 GB of free space. Finally, the volume that will host the Windows SQL Server 2000 Desktop Engine (WMSDE) requires a minimum of 2 GB of free space.

Hardware requirements

The server requirements do not stop there. Along with a specific disk configuration, the server must also meet specific hardware requirements. As you can see from the list below, the hardware requirements for WSUS are dependent on the number of clients on the network.

For networks with less than 500 clients:

  • 750 MHz Pentium III processor; 1 GHz Pentium III or higher recommended.
  • Microsoft Windows Server 2003 Standard or Enterprise Edition; Microsoft Windows 2000 Server or Advanced Server with SP4 or later
  • 512 MB of RAM; 1 GB or more recommended
  • CD-ROM or DVD-ROM drive; VGA or higher-resolution monitor; keyboard and Microsoft Mouse or compatible pointing device

For networks with more than 500 clients:

  • 1 GHz Pentium III processor or higher; 3 GHz Pentium IV or higher recommended
  • Microsoft Windows Server 2003 Standard or Enterprise Edition; Microsoft Windows 2000 Server or Advanced Server with SP4 or later
  • 1 GB of RAM or more
  • CD-ROM or DVD-ROM drive; VGA or higher-resolution monitor; keyboard and Microsoft Mouse or compatible pointing device

Software requirements

The software requirements vary depending on what platform WSUS is being installed on. When installing WSUS on Windows Server 2003, the software requirements that must be met includes:

  • Microsoft Internet Information Services (IIS) 6.0
  • Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003
  • Background Intelligent Transfer Service (BITS) 2.0

Firewall requirements

The firewall requirements are only applicable to those WSUS servers that are located behind a corporate firewall. In such cases, the corporate firewall may have to be configured to allow the WSUS server to obtain updates. WSUS requires port 80 for protocol and port 443 for HTTPS protocol. Alternatively, instead of opening those ports and protocols to all addresses, access can be restricted to the domains listed below:

  • http://*
  • https://*
  • http://*
  • https://*
  • http://*
  • http://*

Installing WSUS

Once your server meets the requirements outlined in the previous section, you should be ready to install WSUS. The process is straightforward and the steps are outlined below. Keep in mind that you must log on with a user account that is a member of the local Administrators group on the server in order to install WSUS.

  1. Double click WSUSSetup.exe (this is the file downloaded from Microsoft).
  2. Click Next when the Welcome screen appears.
  3. Click I accept the terms of the License Agreement and then click Next.
  4. From the Select Update Source, click Store updates locally and select the location on the server where the updates will be stored as shown in the Figure A. Click Next.

Figure A

WSUS setup requires you to specify where updates will be stored.
  1. On the Database Options screen, click Next to accept the default. This will install the WMSDE on the server.
  2. From the Web Site Selection screen shown in Figure B, specify the Web site that will be used by WSUS. The bottom of the screen will also list the URL that WSUS clients will obtain updates from and the URL for the WSUS console. Click Next.

Figure B

WSUS setup allows you to specify the Web site to use for the administration tool
  1. From the Mirror Update Settings screen, click Next to accept the default.
  2. Review the settings on the Ready to Install Windows Server Update Services screen and click Next.
  3. Click Finish.

Now that the software is installed, you are ready to begin configuring WSUS. The installation of WSUS includes an administrative component that is used to configure the server. You can access the WSUS console in one of two ways. You can open your Web browser and type in the address to the admin site (http://<yourservername:portnumber>/WSUSAdmin). Conversely, you can click Start, point to Administrative Tools, and select Microsoft Windows Server Update Services.

Configuring WSUS

You can obtain updates from the Microsoft Update Web site through synchronization. However, if the WSUS server is behind a proxy server, you must first configure the network connection so it can access the Internet.

Configuring proxy settings

By default, WSUS will be configured to obtain updates from Microsoft Update. If the server is behind a proxy server, you will need to use the WSUS console to configure the required proxy settings as outlined below.

  1. Click Start, point to All Programs | Administrative Tools | Microsoft Windows Server Update Services.
  2. On the toolbar, click Options.
  3. Click Synchronization Options.
  4. Click the Use a proxy server when synchronizing option and type in the proxy server name and port number.
  5. If credentials are required to connect through the proxy server, click Use user credentials to connect to the proxy server option and specify the username and password the WSUS server will use.
  6. Click the Save Settings option under Tasks.
  7. Click Ok to confirm your actions.

Configure products and update to download

At this point you are ready to identify the products and the types of updates you want the WSUS server to download. For example, the WSUS server can be configured to only download updates in a specific language.

To configure which products and classifications the WSUS server should download during synchronizations:

  1. Within the WSUS administrative console, click Options, and click Synchronization Options.
  2. Click Change from the Products and Classification box.
  3. From Add/Remove Products, click the products that are pertinent to your network.
  4. Click OK.
  5. Click Change under Update classifications.
  6. From Add/Remove Classifications, click the classifications for the updates that should be downloaded by the WSUS server.
  7. Click OK.

Perform synchronization

Once the WSUS server is able to access the Internet, you can obtain updates from the Microsoft Update Web site. As already mentioned, this is done through synchronization. You can initiate synchronization within the WSUS console. On the toolbar, click Options and then Synchronization Options. Under the list of tasks, click Synchronize Now.

During this process, the WSUS server will connect to Microsoft Update to determine if there are any new updates available since the last synchronization took place. However, since the WSUS server is accessing Microsoft Update for the first time, all the updates will be available.

Advanced options

Along with the basic options outlined above, you can also configured advanced synchronization options on the WSUS server. These options are used to control things such as bandwidth usage and where the updates are stored. Advanced options include:

  • Storage options
  • Deferred downloads options
  • Filtering Updates options
  • Express installation options

Storage options

As you saw during the installation of WSUS, by default, updates are downloaded and stored locally on the WSUS server. Alternatively, you can force clients to obtain updates from the Microsoft Update Web site instead of storing the updates on the WSUS server. Using this option instead of the default is useful in situations where clients have high speed Internet connections but the connection to the WSUS is slow. This configuration still allows you to approve updates; it only alters where clients download them from.

You can change where updates are stored by selecting Synchronization Options within the WSUS administrative console. Click the Advanced option under Update Files and Languages and click OK to accept the warning message. From Advanced Synchronization Options under Update Files, click one of the following options:

  • Store update files locally on this server
  • Do not store updates locally; clients install updates from Microsoft Update

Deferred downloads options

The Deferred Downloads Options allows you to configure when the updates should be downloaded. Updates can be downloaded in full during the synchronization process. Or, the download of all updates can be deferred until they are approved. This means that all the files required to install an update are not downloaded until they are approved by an administrator. This allows you to use available bandwidth more efficiently.

You can configure this option from the From Advanced Synchronization Options under Update Files. Select the Download updates to this server only when updates are approved option to defer downloads.

Filtering updates options

Another way that you can optimize bandwidth is to limit the download of updates to specific languages, products, and update type. The default behavior of WSUS is to download all updates for all products in all languages. Chances are many of the updates will not be applicable to your network clients. To better optimize bandwidth, you should limit the download of updates to only those that you require.

You can configure this option from the From Advanced Synchronization Options under Update Files. Select from one of the options outlined below:

  • Download only those updates that match the local of this server (Locale) - Only those updates that match the locale of the WSUS server are downloaded
  • Download updates in all languages, including new languages - All languages are downloaded regardless of the locale of the WSUS server
  • Download updates only in the selected languages - Only updates in the language/languages you have selected are downloaded

Express installation options

This option is used to specifically optimize the bandwidth on the local network between the WSUS server and clients. Keep in mind though that there is a downside of using this option because downloading the express installation files to the WSUS requires more bandwidth than just downloading the updates themselves. However, installing the updates on the clients requires less bandwidth when using the express installation files.

You can enable this option from the Advanced Synchronization Options under Update Files by clicking Download express installation options.

Up to date and ready to go

As you can see, Windows Server Update Services offers a secure, efficient solution for deploying Microsoft updates to servers and workstations. Once the service is installed, the service can be customized to meet varying needs and requirements, thereby making it an update-solution that can be utilized in different environments.