Installing WSUS Server Role on Windows Server 2012 with Microsoft SQL Clustered Database

Bonjour à tous (For those of us who don’t know French, its ‘Hello Everyone’ :)). I just started learning French, so hoping to do better than this.

WSUS is one of my favorite application and I taught it wise to show us how to setup one on a Windows Server 2012 but this time using Microsoft SQL Server 2008 R2 Cluster. To begin with, you need to ensure you have a clustered SQL environment already in place. See one of my earlier posts on this.

Note: With Windows Server 2012, WSUS is built into the operating system as a feature.

Nous allons commencer (Use Google translate)

Go to Page2

In continuation from page1, I will be running the Post-Installation tasks

– Click on the warning icon and click Launch Post-Installation tasks

– Notice that the process will begin at the background. Wait until the post-deployment configuration and feature installation is completed

– Click on Tools/Windows Server Update Services

– On begin page, click Next

– Decide if you want to join the Microsoft Update Improvement program, click Next

– Select Synchronize from Microsoft Update site since this is our first WSUS server on the network

– If you use proxy server to connect to the internet, enter the details here or leave blank if you connect to internet directly

– Click Start Connecting for the WSUS server to connect to Microsoft Update site to synchronize product/download information

– Wait until the upstream server information had been downloaded

– When done click Next

– Select which language you would like the downloads on

– Select products you want to download updates for

– Select desired update classification

– Set the desired time and how often you want the WSUS server to sync updates from Microsoft Update site

– On Finished page, check the Begin initial synchronization box to begin the update download immediately

– Review each links as you will find it very useful. Click Finish

– After clicking Finish, the WSUS Management Console appears

Go to Page3

To finalize WSUS configuration, I will show us how to use Active Directory Group Policy to direct domain-joined computers to the WSUS server for updates.

– While on the Update Services page, click on Computers and you notice that no computer is registered with the WSUS server

– Click on Options, locate and click on Computers

– From the popup, click on Use Group Policy or registry settings on computers and click OK

– Now log onto your Active Directory server, click Tools/Group Policy Management

– From the Group Policy Management console, expand the Forest/Domains/domain name. Right-click on Default Domain Policy since we are deploying to all computers irrespective of the OU they reside in and click Edit…

– From the Group Policy Management Editor, expand Computer Configuration/Policies/Administrative Templates/Windows Components, then click on Windows Update. As seen none of the policies have been configured yet

I will only enable you policies for the purpose of this lab

Policy1 – Double-click Configure Automatic Updates, click Enabled, select your desired automatic updating

Policy2 – Double-click Specify intranet Microsoft update service location, click Enabled, enter the WSUS server address as ‘http://servername:port‘ where servername is the WSUS server and port is WSUS default port 8530 for http or 8531 for https

There are other useful policies you can enable. Have a look at each and see which suits your environment

– Close the Group Policy Management Editor

– At this stage, if you go back to WSUS console and view All Computers, you will notice that some computers have started reporting back. To force other systems to report immediately, simply run the following command on each computer from an elevated command prompt”wuauclt.exe /detectnow”

Quick Tips:

– Look at deciding if you want to auto approve all updates or manually approve specific updates based on severity

– Ensure any approved updates are installed on test machines before applying it to live systems

– When installing on mission critical servers, schedule the install manually meaning set the GPO to download updates but not install. That way you have full control of the installation

– Always ensure that your systems are fully patched to reduce surface area of attack on vulnerable systems

Hope I’ve been of great help here 🙂

 Share!

 
comments powered by Disqus