|
|
Hi,
I inherited a network with many downstream SUS servers (approx 50)
relying on a parent WSUS server. In the majority (90%) of cases the
SUS servers are not working. That is their clients are not applying
updates from the SUS servers successfully. The actual SUS servers are
receiving their updates successfully from a different upstream WSUS
server. Additionally the 2 upstream WSUS servers have no relation to
each other.
So we have around 50 servers that are successfully getting their
updates from a parent WSUS server, and the same 50 servers which are
acting as SUS servers for their own networks, not working.
What I really need is some advice on the best way to fix Windows
Updates for the downstream locations. Should I upgrade each
individual SUS server to WSUS? Can I change it so that there is only
1 parent server, and the downstream servers use themselves to receive
updates? This way there would only be 1 set of updates being
downloaded instead of 2.
Advice will be appreciated.
Many Thanks,
Michael
|
|
"MichaelW" <googlegroups[ at ]hoyts.com.au> wrote in message
news:1182296755.631020.217550[ at ]o11g2000prd.googlegroups.com...
[Quoted Text] > Hi,
>
> I inherited a network with many downstream SUS servers (approx 50)
> relying on a parent WSUS server. In the majority (90%) of cases the
> SUS servers are not working.
Hmm.... I wasn't aware that SUS servers could sync from WSUS servers..... if
they cannot.. (and I don't think they can), that would likely explain why
the SUS Servers are not working.
Also, if the SUS servers are not 'downstream' of the WSUS Servers, you also
need to be aware that Microsoft is pulling the plug on SUS 1.0 services on
July 10, 2007. See http://support.microsoft.com/kb/905682 for confirmation
and details.
> What I really need is some advice on the best way to fix Windows
> Updates for the downstream locations.
The *best* way is to replace them with WSUS v3.0
> Should I upgrade each individual SUS server to WSUS?
Not an option. SUS 1.0 cannot be upgraded to WSUS 3.0, and there's
absolutely no point in going through the torture of migrating a SUS 1.0
server to WSUS 2.0 so that you can do the upgrade to WSUS 3.0 -- not to
mention that those SUS 1.0 servers need to be running Windows Server 2003
SP1 in order to install WSUS 3.0.
If they're SUS 1.0 servers, that means they've also not likely been touched
since long before Summer '05, which also means, at best, they probably don't
have SP1 for Win2003, but I'd guess they're also likely running Win2000.
> Can I change it so that there is only
> 1 parent server, and the downstream servers use themselves to receive
> updates? This way there would only be 1 set of updates being
> downloaded instead of 2.
This depends on how many clients at the remote sites, and how much bandwidth
you have between the remote site(s) and the central site.
In general, if you have at least 5kbit/sec of bandwidth per PC on the WAN
connection, my recommendation is to not use remote WSUS servers.
Use remote WSUS servers if:
[a] The Windows Server 2003 SP1 server (non-DC) is already deployed and
there are a significant number of clients on the site, or
[b] If there is less than 5kbit/sec of bandwidth per PC on the WAN
connection.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
Firstly thank you for the reply.
[Quoted Text] > > I inherited a network with many downstream SUS servers (approx 50)
> > relying on a parent WSUS server. In the majority (90%) of cases the
> > SUS servers are not working.
>
> Hmm.... I wasn't aware that SUS servers could sync from WSUS servers..... if
> they cannot.. (and I don't think they can), that would likely explain why
> the SUS Servers are not working.
Yes you are right, the upstream server is a SUS server. We have 2
upstream servers, 1 WSUS server which is reponsible for updating all
of the servers in our organisation, and also computers in our head
office location. The upstream SUS server is responsible for all our
remote sites excluding the servers at those sites.
> Also, if the SUS servers are not 'downstream' of the WSUS Servers, you also
> need to be aware that Microsoft is pulling the plug on SUS 1.0 services on
> July 10, 2007. Seehttp://support.microsoft.com/kb/905682for confirmation
> and details.
OK thanks
>
> > What I really need is some advice on the best way to fix Windows
> > Updates for the downstream locations.
>
> The *best* way is to replace them with WSUS v3.0
>
> > Should I upgrade each individual SUS server to WSUS?
>
> Not an option. SUS 1.0 cannot be upgraded to WSUS 3.0, and there's
> absolutely no point in going through the torture of migrating a SUS 1.0
> server to WSUS 2.0 so that you can do the upgrade to WSUS 3.0 -- not to
> mention that those SUS 1.0 servers need to be running Windows Server 2003
> SP1 in order to install WSUS 3.0.
>
> If they're SUS 1.0 servers, that means they've also not likely been touched
> since long before Summer '05, which also means, at best, they probably don't
> have SP1 for Win2003, but I'd guess they're also likely running Win2000.
You are right that most of these servers are running Windows 2000, we
are gradually replacing them with 2003 boxes but it will take some
time before the last of the 2000 boxes is replaced. So it looks like
I should be upgrading to WSUS 2.0.
> > Can I change it so that there is only
> > 1 parent server, and the downstream servers use themselves to receive
> > updates? This way there would only be 1 set of updates being
> > downloaded instead of 2.
>
> This depends on how many clients at the remote sites, and how much bandwidth
> you have between the remote site(s) and the central site.
>
> In general, if you have at least 5kbit/sec of bandwidth per PC on the WAN
> connection, my recommendation is to not use remote WSUS servers.
We definitely would have enough bandwidth to cover the remote PCs. My
main concern is the amount of traffic that will be generated from head
office, if we discard the remote WSUS servers. We have a 100GB
monthly download which we are regularly going over, despite locking
most traffic down with proxy. Once all the machines are updated the
traffic from the head office WSUS server would calm down, it is the
initial hit that concerns me. We are paying a premium for additional
traffic.
>
> Use remote WSUS servers if:
> [a] The Windows Server 2003 SP1 server (non-DC) is already deployed and
> there are a significant number of clients on the site, or
> [b] If there is less than 5kbit/sec of bandwidth per PC on the WAN
> connection.
Currently all of the servers running SUS are Windows 2000 DCs, we are
changing this so that the DC runs in a VM on the same server. Again
this will take a long time to roll-out to all sites. The number of
clients per site averages 15, up to a maximum of 40-50 clients.
Thanks again for your advice.
Regards,
Michael
|
|
"MichaelW" <googlegroups[ at ]hoyts.com.au> wrote in message
news:1182388275.231037.36790[ at ]x35g2000prf.googlegroups.com...
[Quoted Text] > Firstly thank you for the reply.
>
>> > I inherited a network with many downstream SUS servers (approx 50)
>> > relying on a parent WSUS server. In the majority (90%) of cases the
>> > SUS servers are not working.
>>
>> Hmm.... I wasn't aware that SUS servers could sync from WSUS servers.....
>> if
>> they cannot.. (and I don't think they can), that would likely explain why
>> the SUS Servers are not working.
>
> Yes you are right, the upstream server is a SUS server.
<big sigh of relief>.. I thought I had missed a major deployment scenario.
:-)
>> If they're SUS 1.0 servers, that means they've also not likely been
>> touched
>> since long before Summer '05, which also means, at best, they probably
>> don't
>> have SP1 for Win2003, but I'd guess they're also likely running Win2000.
>
> You are right that most of these servers are running Windows 2000, we
> are gradually replacing them with 2003 boxes but it will take some
> time before the last of the 2000 boxes is replaced. So it looks like
> I should be upgrading to WSUS 2.0.
Yes... given that you may have some time lag upgrading them from 2k to 2k3,
I'd say a critical interim step is to go ahead with deploying WSUS 2.0 SP1
until you can upgrade the OS installations.
Suggestion: Forego the idea of 'migrating' the SUS 1.0 boxes to WSUS 2.0.
Since these are all replica servers anyway, you're really going to re-clone
them from the master WSUS 2.0 server, so your best solution, IMHO, is to
just install WSUS 2.0 on these systems from scratch.
You'll want to obtain a copy of this Getting Started guide to help you
through this process:
WSUS Step-by-Step Guide to Getting Started on Windows 2000 Server
http://www.microsoft.com/downloads/details.aspx?FamilyId=4169C932-63B5-4629-91D3-C8901C2AFA07&displaylang=en
>> > Can I change it so that there is only
>> > 1 parent server, and the downstream servers use themselves to receive
>> > updates? This way there would only be 1 set of updates being
>> > downloaded instead of 2.
>>
>> This depends on how many clients at the remote sites, and how much
>> bandwidth
>> you have between the remote site(s) and the central site.
>>
>> In general, if you have at least 5kbit/sec of bandwidth per PC on the WAN
>> connection, my recommendation is to not use remote WSUS servers.
>
> We definitely would have enough bandwidth to cover the remote PCs. My
> main concern is the amount of traffic that will be generated from head
> office, if we discard the remote WSUS servers.
Consider that WSUS and the Windows Update Agent make use of the "Background
Intelligent Transfer Service", which is a bandwidth-available throttling
service, that can be explicitly configured to control when and/or how much
bandwidth is available for use to download content.
> We have a 100GB
> monthly download which we are regularly going over, despite locking
> most traffic down with proxy.
This would be a *good* reason to consider maintaining a remote WSUS server,
particularly on sites with a larger number of clients. Particularly if
you're already hitting that threshold with the existing environment.
> Once all the machines are updated the
> traffic from the head office WSUS server would calm down, it is the
> initial hit that concerns me. We are paying a premium for additional
> traffic.
Using BITS bandwidth throtting may be a solution to consider. Also, as with
SUS 1.0, WSUS 2.0 supports importing content from removable media, which can
help eliminate any need for those initial downloads to be transported across
the WAN connections.
See the section in the WSUS Deployment Guide on "Disconnected Networks", and
treat your initial replica server deployment as a 'disconnected network'.
Alternatively, you can also initalize the *replica* server on your LAN,
side-by-side with the upstream server, and then readdress the replica server
immediately prior to shipping/deploying to the remote site.
>> Use remote WSUS servers if:
>> [a] The Windows Server 2003 SP1 server (non-DC) is already deployed
>> and
>> there are a significant number of clients on the site, or
>> [b] If there is less than 5kbit/sec of bandwidth per PC on the WAN
>> connection.
>
> Currently all of the servers running SUS are Windows 2000 DCs, we are
> changing this so that the DC runs in a VM on the same server.
An excellent deployment tactic for single-server remote sites! Note,
however, you may encounter difficulties if that host server is intended to
be a *member* server, and cannot contact a DC (because the VM hasn't
launched yet).
> Again
> this will take a long time to roll-out to all sites. The number of
> clients per site averages 15, up to a maximum of 40-50 clients.
You may well find that your 50 client sites will fare better by having a
remote WSUS server, which reduces your download count per update to =one=
each, instead of 50x each update, in terms of bandwidth consumption
concerns.
Also, as noted, you already have the server infrastructure in place to
deploy the WSUS server (the SUS servers are already there).
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
|