Migrating the distribution server component
Applies To: Forefront Client Security
Checklist
The following is a checklist of the high-level tasks required for you to successfully migrate the Client Security distribution server component. This checklist is included to help you perform the migration procedures. Detailed steps follow the checklist.
Server | Task | Your notes |
---|---|---|
Target distribution server |
Installing WSUS |
|
Source distribution server |
Documenting settings |
|
Target distribution server |
Configuring setting to match source distribution server |
|
Source distribution server |
Copying downloaded updates from the WSUSContent folder |
|
Target distribution server |
Transferring downloaded updates from source distribution server to the local WSUSContent folder |
|
Source distribution server |
Exporting metadata |
|
Target distribution server |
Importing metadata |
|
Source distribution server |
Extracting configuration data |
|
Target distribution server |
Importing configuration data |
|
Target distribution server |
Installing the Client Security distribution server component |
|
Management server |
Configuring managed computers to use the new distribution server |
|
Managed computer |
Verifying communication with the new distribution server |
|
Target distribution server |
Verifying communication with Microsoft Update |
|
Source distribution server |
Uninstalling the Client Security distribution server component |
|
The Client Security distribution server component is primarily a WSUS 3.0 or WSUS 2.0 server, with the addition of Client Security components. To migrate the distribution server component from one server to another, you migrate the WSUS settings and database from one WSUS server to another.
Client Security supports both WSUS 3.0 and WSUS 2.0. Procedures for the migration of the distribution component differ slightly between the two versions.
Preparing the target computer
To prepare the target computer, perform the following steps:
To prepare the target computer
Install the same version of WSUS that is installed on the source computer.
For more information about installing WSUS, see either Install the WSUS 3.0 Server (https://go.microsoft.com/fwlink/?LinkId=91482) or, for WSUS 2.0, Install the WSUS Server (https://go.microsoft.com/fwlink/?LinkId=91483).
Important
When installing WSUS, it is highly recommended that you store the synchronized updates in a SQL Server database, rather than using Microsoft SQL Server Desktop Engine (MSDE).
Once the installation is completed, you must configure the settings of the target distribution server to be the same as the setting on the source distribution server.
To ensure the settings on the source distribution server match the target distribution server for WSUS 3.0
On the source distribution server, in the WSUS Administration console, click the Options node in the left pane, and then click Update Files and Languages.
On the Update Files tab, check the setting for Download express installation files.
In the Update Languages tab, note the settings for the update languages (for use in step 5).
On the target distribution server, in the WSUS Administration console, click the Options node in the left pane, and then click Update Files and Languages.
Make sure the settings for Download express installation files and Languages options match the selections on the source server.
To ensure settings on the source distribution server match settings on the target distribution server for WSUS 2.0
On the source distribution server, in the WSUS console, click the Options tab, and then in the Update Files and Languages section, click Advanced.
In the Advanced Synchronization Settings dialog box, note the status of the settings for Download express installation files and Languages options (for use in step 4).
On the target distribution server, in the WSUS console, click the Options tab, and then in the Update Files and Languages section, click Advanced.
In the Advanced Synchronization Settings dialog box, make sure the settings for Download express installation files and Languages options match the selections on the source distribution server.
After synchronizing the settings on the target distribution server, you must transfer the downloaded updates from the file system of the source distribution server to the target distribution server.
To transfer downloaded updates from the source distribution server to the target distribution server
On the source distribution server, copy the contents of the following location to the same location on the target distribution server:
WSUSInstallationDrive \WSUS\WSUSContent\
Where WSUSInstallationDrive is the drive on which WSUS is installed.
Important
When copying the updates, it is very important that you maintain the folder structure.
Additionally, you must copy the WSUS database metadata from the source distribution server to the target distribution server. A utility provided with both WSUS 3.0 and WSUS 2.0, WSUSutil.exe, is used for this.
Note
You must be a member of the local Administrators group on the WSUS server to export or import metadata; both operations can be run only on a WSUS server.
To export metadata from the database of the source distribution server
On the source distribution server, open a command prompt and navigate to the folder that contains WSUSutil.exe. The default path is Program Files\Update Services\Tools.
Type the following:
wsusutil.exe export packagename logfile
For example:
**wsusutil.exe export export.cab export.log**
The package (.cab file) and log file name must be unique. WSUSutil.exe creates these two files as it exports metadata from the WSUS database.
- Move the export package you just created to the target distribution server.
To import metadata to the database of the target distribution server
On the target distribution server, open a command prompt and navigate to the folder that contains WSUSutil.exe. The default path is Program Files\Update Services\Tools.
Type the following:
wsusutil.exe import packagename logfile
For example:
**wsusutil.exe import export.cab import.log**
WSUSutil.exe imports the metadata from the source distribution server and creates a log file of the operation.
**Note** It can take 3–4 hours for the database to validate content that has just been imported.
Transferring the configuration data
The configuration data on the source distribution server contains information about subscriptions, auto-approval settings, targets, groups, and approved updates. This information must be extracted and transferred to the target distribution server.
To extract and transfer the configuration data, you must download and install the Windows Server Update Services API Samples and Tools for your version of WSUS. The WSUS API Samples and Tools must be installed on both your source and target distribution servers.
For WSUS 3.0, download the Windows Server Update Services 3.0 API Samples and Tools (https://go.microsoft.com/fwlink/?LinkId=94784).
For WSUS 2.0, download the Windows Server Update Services API Samples and Tools (https://go.microsoft.com/fwlink/?LinkID=90951).
To transfer the configuration data
On the source distribution server, open a command prompt and change to the following directory:
Program Files\Update Services API Samples and Tools\WsusMigrate\WsusMigrationExport
Type the following command and press Enter:
WsusMigrationExport.exe outputfilename
Where *outputfilename* is the full path and name of the output file. This file should be placed in a location accessible to the target distribution server.
On the target distribution server, open a command prompt and change to the following directory:
Program Files\Update Services API Samples and Tools\WsusMigrate\WsusMigrationImport
Type the following command and press Enter:
WsusMigrationImport.exe outputfilename All MoveComputers
Where *outputfilename* is the full path to and name of the output file created on the source distribution server.
Configuring the target distribution server
You must install the Client Security distribution server component on the target distribution server.
To install Client Security on the target distribution server
Using an account that has local administrator privileges on all of the Client Security servers, log on to the target distribution server, insert the Client Security CD, and run the Setup wizard.
On the Component Installation page, select the Distribution server check box, clear all the other check boxes, and then click Next.
On the Install Location page, enter the location where you want the Setup wizard to install Client Security files.
On the Verifying Settings and Requirements page, verify your system requirements, and then click Next.
On the Completing Setup page, verify that you have successfully installed Client Security, and then click Close.
Configuring the managed computers
The managed computers must be configured to use the new distribution server for updates.
To configure managed computers
Verifying functionality
To verify the new distribution server is functioning correctly, you must test two things:
The ability of the managed computers to download updates from the distribution server.
The distribution server can connect to an upstream WSUS server or to Microsoft Update and synchronize updates.
To verify managed computer communication with the distribution server
On a Client Security managed computer, start a command prompt and change to the following directory:
ClientSecurityInstallPath\Client Security\Client\Antimalware
Type the following command and press Enter:
MpCmdRun.exe -SignatureUpdate
In the Run dialog box, type the following command, and then click OK:
Notepad c:\windows\windowsupdate.log
This opens the windowsupdate.log file in Notepad.
Place the cursor at the bottom of the file by scrolling to the bottom and clicking in the last line.
Click Edit, and then click Find.
In the Find what text box, type Server URL = https://
Ensure that under Direction, the Up button is selected, and then click Find Next.
The first string found should contain the name of the new distribution server. Ensure that the string is https://newdistributionservername
To verify distribution server communication with upstream servers or Microsoft Update for WSUS 3.0
In Administrative Tools, click Update Services.
In the tree pane, expand the server name, and then click Synchronizations.
In the Actions pane, click Synchronize Now.
The synchronization result can be viewed in the Synchronizations pane.
To verify distribution server communication with upstream servers or Microsoft Update for WSUS 2.0
In Administrative Tools, click Microsoft Windows Server Update Services.
On the Synchronization Options page, click Synchronize Now.
The synchronization result can be viewed on the Welcome to Windows Server Update Services page, under Synchronization Status.
If any of the verifying communication steps fail, verify that you have performed all previous steps. If communications continue to fail, contact Microsoft product support.
The final step in the migration of the Client Security distribution server component is to uninstall the distribution server component from the source server. This should be done only after successful verification of communication.
To uninstall the distribution server component
- Follow the instructions for uninstalling the distribution server component in Removing an existing installation of Client Security.