The WSUS server downloads updates from Microsoft Update and distributes the updates to servers and clients in your network. For some administrators, this alone is reason enough to use WSUS—you save on update bandwidth by a factor of the number of clients.
Contents of this article
- WSUS basics
- WSUS configuration
- WSUS interference
- Group Policy
- Firewall settings
- Link speed
- Scheduling
- Client compatibility
- Disk space
WSUS basics
The WSUS server downloads updates from Microsoft Update and distributes the updates to servers and clients in your network. For some administrators, this alone is reason enough to use WSUS—you save on update bandwidth by a factor of the number of clients.
Note that WSUS servers cannot force updates to clients. You can only configure the Windows Update agent on workstations and servers to use WSUS instead of Microsoft's Update service. Think of WSUS as an update repository for Microsoft products.
Most deployments use Group Policy to set WSUS agent policies. You can set a uniform update policy that cannot be superseded by users, which ensures that updates occur in a timely fashion.
WSUS configuration
- Here is how a typical WSUS configuration goes:
- The Windows Update agent on workstations and servers is configured via Group Policy to use the WSUS server as an update server.
- The clients download the new policy and apply the new settings.
- An admin approves the updates that clients are allowed to install in the WSUS console.
- The Windows Update agent determines that an update is available and applies the installation.
In a perfect world, this would be all you have to know. Unfortunately, many things can go wrong. What follows are the main issues I encountered when working with WSUS.
WSUS interference
In my experience, the WSUS server can be subject to interference by a variety of other programs and services, so it is best to install the WSUS server in its own virtual machine living on a highly available host or, better yet, dedicate a separate physical machine to WSUS.
Group Policy
The first thing to do if updates are not installed on clients is to check if the Group Policy settings replicate properly. If you have a domain controller that you typically use to set Group Policy, you might want to keep it on the same physical link as the WSUS server, which will make things much smoother.
Firewall settings
WSUS servers distribute updates via web services. You will always need to make sure that edge firewalls do not block WSUS traffic. The ports are either 80/443 (HTTP/S) in Servers 2008 R2 or 8530/8531 in Servers 2012 R2, depending on your configuration.
Link speed
When using WSUS over WAN, you must be aware that downloads over the link effectively eliminate the performance advantages of WSUS. It might make sense to configure clients in remote offices to use the Microsoft Update service instead of a WSUS server.
Scheduling
Some clients in your network might not receive updates because they have been offline for some time or because mobile users haven’t connected to the corporate network in a while. Ensure that you have a policy in your organization that takes care of these cases.
Client compatibility
If you have some old, outdated machines in your network, you may run into a typical chicken and egg problem. You want WSUS to make your clients compatible, but they are not compatible with WSUS. In some cases, you have to deploy the latest Windows Update client by other means before you can work with WSUS.
Disk space
Some old machines in your network may not have enough disk space for the updates. You will need a third-party tool to delete superfluous data.
Did you encounter other issues with WSUS? I am curious to learn about your troubleshooting tips.
How to
troubleshoot Windows Server Update Services (WSUS)
Windows
Server Update Services Troubleshooting
Troubleshooting
connection failures with WSUS
How to
troubleshoot Windows Server Update Services (WSUS)
In an attempt to make work
easier for computer administrators, Microsoft developed a program called Windows Server
Update Services (WSUS) to assist administrators with managing updates and
hotfixes that the company releases for its products. The WSUS is a crucial part
of a Windows server. As and when Microsoft launches the updates on its website,
WSUS downloads it and distributes it across the network.
Windows
Server Update Services Troubleshooting
Prerequisites
1] Users using WSUS 3.0 SP2 on Windows
Server 2008 R2 need to have update KB4039929 or a later version installed on
the system.
2] For those using WSUS on
Windows Server 2012 or a later version, the following updates or a later
version need to be installed on the system:
·
Windows Server 2012 – KB 4039873
·
Windows Server 2012 R2 – KB 4039871
·
Windows Server 2016 – KB 4039396.
Troubleshooting
connection failures with WSUS
Verify the following causes
for troubleshooting connection failures with WSUS:
1] The WWW Publishing Service
and Update Service should be running on the WSUS server.
2] The WSUS website or the
default website should be running on the WSUS server.
3] Check the log at the location C:\windows\system32\logfiles\httperr for
errors (where C: is the system drive).
Troubleshooting High CPU usage on WSUS server
Press CTRL+ALT+DEL and open
the task manager from the options. It would show the CPU usage. If the CPU
usage is high on the WSUS server, it will cause the system to slow down.
Causes
of High CPU usage on WSUS server
The causes for the high CPU
usage could be:
1] SUSDB is not “clean.” This might confuse the
client systems, and they would start scanning continuously in a loop.
2] Too many pending updates for the WSUS server to
forward to the clients. It usually happens after prolonged use.
In both these events, we need to clean up the WSUS
server as the solution. Ideally, it has to be cleaned up after regular
intervals irrespective of whether we are facing the issue or not. The step by
step procedure to do the same is as follows:
1] Back up the WSUS database
It is perceived that backing up the WSUS database
can improve the performance of the server. It’s a prerequisite before running
the clean-up wizard.
2] Run the WSUS Server Cleanup Wizard
The process to use the server cleanup wizard is
explained here on
Microsoft.com. However, is the client systems are already scanning
the files.it will add to the load. Should that be the case, we could re-index
the WSUS database and decline superseded updates as explained in the following
steps:
3] Re-index the WSUS database
Reindexing the WSUS database can help our cause
especially if the database is fragmented.
You need to run the following commands.
First, use the FULLSCAN option to update the
statistics:
Use
<dbname>
Go
Exec
sp_msforeachtable 'update statistics ? with fullscan'
Go
Then the indexes could be rebuilt:
Use
<dbname>
Go
Exec
sp_msforeachtable 'DBCC DBREINDEX (''?'')'
Go
4] Decline superseded updates
Since in the case mentioned above, the client
systems are scanning the WSUS database, and it has caused high CPU usage, the
immediate remedy should be declining superseded updates since it helps reduce
the load on the system.
1] Change the port for the WSUS website:
Select WSUS Administration Web Site > Edit Bindings and the edit the WSUS
console to connect to the new port. Run the script and synchronize with USS.
2] Decline the updates: You can use the
Powershell script by using -skipdecline parameters to determine the net number
of declined updates. Then run the same -skipdecline again to decline those
updates.
Great....
ReplyDelete