SUS or WSUS

Guest2 · 9 Nov 2009 at 14:08

We have a machine with Windows Server 2003 installed and SUS (software update server) It has been doing nothing for almost a year now and needs looking at instead of client PCs downloading updates all the time.

Would it be a good idea to migrate SUS to WSUS (windows server update services) or start a fresh with WSUS?

I have been doing a bit of brief reading and it looks like WSUS is the way to go but am not all too sure. Updates can be downloaded again for the server. We have some policies (about 6 i think) for SUS domain controllers, clients etc but guessing these can be scrapped too if starting again with WSUS.

http://technet.microsoft.com/en-us/wsus/default.aspx

http://technet.microsoft.com/en-us/library/cc720537(WS.10).aspx

paradigm · 9 Nov 2009 at 14:18

Start a fresh with WSUS would be my planned route.

doggs · 9 Nov 2009 at 14:21

Has SUS been downloading updates for the past year? If not, it doesn't take long to set up WSUS and as you've only got 6 SUS policies I'd probably start from scratch.

Guest2 · 9 Nov 2009 at 14:51

Doesnt matter, for some reason it was names SSUS. Ive just fired it up and it has WSUS on it. Ill get the updates and carry on as normal

In C:\WSUS is 20gb of updates. (Or im guessing they are updates)

Guest2 · 9 Nov 2009 at 15:20

When i try and update to WSUS 3.0SP2 it says cannot continue because sharepoint services is using port 80. I can see that in services both MSSQL%$WSUS and MSSQL$sharepoint is running sqlservr.exe.

Does WSUS require sharepoint services to work or is it something totally different? I am getting into the realm of databases, of which i have little/no knowledge

Sin_Chase · 9 Nov 2009 at 16:09

No, WSUS does not need sharepoint.

I was pretty sure WSUS 3.0 moved away from web based management and is run from a console now so I am not sure why it is complaining sharepoint is using port 80.

To be fair it has been a while since I touched WSUS so one of the other guys should be able to shed some light onto it.

doggs · 9 Nov 2009 at 18:12

If you install WSUS 3.0SP2 using the stand alone installer and choose the advanced install you should be able to select any port you like. I think, been a long time since I installed it.

Guest2 · 10 Nov 2009 at 09:53

doggs said:
If you install WSUS 3.0SP2 using the stand alone installer and choose the advanced install you should be able to select any port you like. I think, been a long time since I installed it.

After the error about sharepoint using port 80 it says

"Please re-run the setup and specify a different port" However it gives me no option when running the setup to specify a different port :confused:

doggs · 10 Nov 2009 at 13:18

Open IIS and try changing either the sharepoint port or the SUS/WSUS port.

Guest2 · 10 Nov 2009 at 13:32

I stuck WSUS on port 1 and then WSUS 3.0 could run. I have ran it now and also ran setup and set updates to run on sunday night

Firewall is set to on. Do i need to open any ports or do anything else?

doggs · 10 Nov 2009 at 15:01

I think you'll need to create an exception for the WSUS port in the firewall, then it should be good to go.

Sin_Chase · 10 Nov 2009 at 16:19

doggs said:
Open IIS and try changing either the sharepoint port or the SUS/WSUS port.

You do not want to do this on SBS.

Guest2 · 10 Nov 2009 at 16:48

It is now installed and running on IIS 6. It has TCP port 1 and is using SSL port 8531. Windows firewall is off.

Is it not possible to browse to it like WSUS 2.0. i.e http://ssus01 no longer works, i have also tried http://ssus01:8531 That doesnt work either.

In group policy i have 6 similar settings for SQL servers, exchange etc to update from SSUS01

'specify intranet microsoft update service location' enabled
set the intranet update service for detecting updates - http://ssus01
set intranet statistics server - http://ssus01

I take it that these will no longer work now if WSUS doesnt work from a browser window? When i ran the setup i selected syncronization as automatic and set to 22.00, 1 syncronizations per day

edit - ive just found this in the deployment guide. Is this still used when no firewall is turned on?

'Do you know the port number on which this machine will connect to the upstream server? (Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure a downstream WSUS server to use a custom port.)'

doggs · 11 Nov 2009 at 08:46

As Sin_Chase said, WSUS SP3 is now run from a mmc and not a browser, it should be in Admin Tools.

The update server still needs to be specified in the same way, so your group policies should still work, although you will need to add the port number (http://ssus01:<port number>).

Guest2 · 11 Nov 2009 at 09:50

Thanks. Ill add the port number to the policies

Zarf · 11 Nov 2009 at 12:01

It is now installed and running on IIS 6. It has TCP port 1 and is using SSL port 8531. Windows firewall is off.

Is it not possible to browse to it like WSUS 2.0. i.e http://ssus01 no longer works, i have also tried http://ssus01:8531 That doesnt work either.

Try http://ssus01:1 and https://ssus01:8531

Guest2 · 12 Nov 2009 at 10:00

Neither of those adresses work either.

On the update services console on the server there is an 'all computers group' inside this is 'unassigned computers' where all the computer are currently located.

I have selected client side handling of groups (group policy) on options > computers

In group policy i have a policy for all the client computers with the WSUS update settings running from the ADM template. This has the scope where all the computer are on our network. It has automatic update settings for 10pm sunday night.
It also has an option 'client side targetting' which i have set the option 'target group name for this computer' to 'Clients'

On the WSUS server i have then created a computer group called 'Clients' I have done a gpupdate /force but would have thought all computers from the 'unassigned computers' group would automatically move to clients to follow group policy settings.

What am I missing from the Update services console or or group policy that is not shifting computers to groups?

(I also have other groups for SQL Servers, Domain controllers etc on the console and in group policy target group names)

Thanks

edit - when i browse to http://ssus01:1/ I get - the website declined to show the page. most likely causes, the website requires you to log in

any of the other combinations e.g. http://ssus01:8531/ it says - IE cannot display the webpage, it appears you are connected to the internet , but you might want to try to reconnect to the internet

doggs · 12 Nov 2009 at 12:42

I seem to remember when we set up WSUS we had to restart some of the client computers before they read the group policy and joined the 'target group name for this computer', (don't know why gpupdate /force didn't work).

I get the same "403 website declined to show the page" when browsing to http://servername: portnumber/ so don't think thats a problem.

Guest2 · 12 Nov 2009 at 15:52

I have just read through the step my step guide and under the 'Configure Computer Groups' part it only has assigning users to test groups by using 'Right-click Change Membership.' Helpful!

I'll leave the server on tonight to see if it moves any users to the computers groups i have created on the WSUS server. Computer are set to auto shutdown at night and startup at 6.30am anyway. I have been turning the WSUS server off though, ill leave it on tonight

Guest2 · 13 Nov 2009 at 11:11

Update, i tried adding http://ssus01:1/ into the policies in group policy and the WSUS server then picked up 2 computers in clients. Its now picking up more and more computers as it should.

Hopefully all client machines should update from WSUS server at 10pm on sunday night

Thanks all