Choose a Type of WSUS Deployment
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server Update Services
This section describes the basic features of all WSUS deployments. Use this section to familiarize yourself with simple deployments with a single WSUS server, as well as more complex scenarios, such as a WSUS server hierarchy or a WSUS server on an isolated network segment. This section also explains how to target different sets of updates to different groups of computers.
The most basic WSUS deployment consists of a server inside the corporate firewall that serves client computers on a private intranet, as shown in the "Simple WSUS Deployment" illustration below. The WSUS server connects to Microsoft Update to download updates. This is known as synchronization. During synchronization, WSUS determines if any new updates have been made available since the last time you synchronized. If it is your first time synchronizing WSUS, all updates are made available for download.
|Initial synchronization can take over an hour. All synchronizations after that should be significantly shorter.|
By default, the WSUS server uses port 80 for HTTP protocol and port 443 for HTTPS protocol to obtain updates from Microsoft. If there is a corporate firewall between your network and the Internet, you will have to open these ports on the server that communicates directly to Microsoft Update. If you are planning to use custom ports for this communication, you will have to open those ports instead.
You can configure multiple WSUS servers to synchronize with a parent WSUS server. Chaining WSUS servers together is discussed later in this guide.
Automatic Updates is the client component of WSUS. Automatic Updates must use the port assigned to the WSUS Web site in Microsoft Internet Information Services (IIS). If there are no Web sites running on the server where you install WSUS, you can use the default Web site or a custom Web site. If you set up WSUS on the default Web site, WSUS listens for Automatic Updates on port 80. If you use a custom Web site, WSUS listens on port 8530. Alternate port numbers cannot be specified at setup time, but can be configured afterwards.
If you use the custom Web site, you must also have a Web site set up and running on port 80 to accommodate updating legacy Automatic Updates client software. If you use the custom Web site, remember to include the port number in the URL when you configure Automatic Updates to point to the WSUS server. Other issues to consider when using a custom port for the WSUS Web site are discussed in "Using the WSUS custom Web site" in Configure IIS later in this guide.
Computer groups are an important part of WSUS deployments, even a basic deployment. Computer groups enable you to target updates to specific computers. There are two default computer groups: All Computers and Unassigned Computers. By default, when each client computer initially contacts the WSUS server, the server adds it to both these groups.
You can move computers from the Unassigned Computers group to a group you create. You cannot remove computers from the All Computers group. The All Computers group enables you to target updates to every computer on your network regardless of group membership. The Unassigned Computers group permits you to target only computers that have not yet been assigned group membership.
One benefit of creating computer groups is that it enables you to test updates. The "Simple WSUS Deployment with Computer Groups" illustration depicts two custom groups named Test and Accounting, as well as the All Computers group. The Test group contains a small number of computers representative of all the computers contained in the Accounting group. Updates are approved first for the Test group. If the testing goes well, you can roll out the updates to the Accounting group. There is no limit to the number of custom groups you can create. There are instructions for creating custom computer groups in Create the Computer Groups later in this guide.
|Do not use WSUS to distribute updates to client computers that are not licensed for your organization. The WSUS license agreement specifically disallows this.|
You can create complex hierarchies of WSUS servers. Since you can synchronize one WSUS server with another WSUS server instead of with Microsoft Update, you need to have only a single WSUS server that is connected to Microsoft Update. When you link WSUS servers together, there is an upstream WSUS server and a downstream WSUS server, as shown in the "WSUS Server Hierarchy" illustration below.
There are two ways to link WSUS servers together:
Autonomous mode: An upstream WSUS server shares updates with its downstream server or servers during synchronization, but not update approval status or computer group information. Downstream WSUS servers must be administered separately. Autonomous servers can also synchronize updates for a set of languages that is a subset of the set synchronized by their upstream server.
Replica mode: An upstream WSUS server shares updates, approval status, and computer groups with its downstream server or servers. Downstream replica servers inherit update approvals and cannot be administered apart from their upstream WSUS server.
For more information see Choose a WSUS Management Style.
This type of configuration is useful for many types of deployment. You might use it to download updates once from the Internet and then distribute those updates to branch offices with downstream servers, saving bandwidth on your Internet connection. You might use it to scale WSUS in a large organization with more client computers than one WSUS server can manage. You might also use it to move updates closer to where they will be deployed.
Three levels is the recommended limit to a WSUS server hierarchy. This is because each level adds additional lag time to propagate updates throughout the chain. Theoretically there is no limit to how deep you can go, but only deployments with a hierarchy five levels deep have been tested.
The downstream server must always synchronize to an upstream server, as in the "WSUS Server Hierarchy" illustration above. This keeps synchronizations traveling downstream. If you attempt to synchronize an upstream server to a downstream server, you effectively create a closed loop, which is not supported. You can find step-by-step instructions for synchronizing WSUS servers in Set Up a Hierarchy of WSUS Servers later in this guide.
When you set up a WSUS server hierarchy, you should point Automatic Updates on all WSUS servers to the farthest downstream WSUS server in the hierarchy. This shields the entire chain from server-to-server protocol-breaking changes, because the downstream WSUS server can be used to update the broken upstream WSUS servers via Automatic Updates.
If you decide to configure your WSUS network as a server hierarchy, you should also determine whether you need to distribute updates in different languages to different parts of your network. For example, the head office may require only English and French, but a branch may require English, French, and German. You should consider all the languages used throughout your network when you set up a hierarchy of servers, because you must configure the root server (the server that connects to Microsoft Update) to download updates in all the languages used in the entire network. You can then configure the downstream servers to download updates in the languages they need. Moreover, you should make sure no downstream servers require a language that you are planning to remove from an upstream server.
For more information about setting up language options on upstream servers and downstream servers, see the "Choose update languages" section of the topic Using the WSUS 3.0 Configuration Wizard.
It is unnecessary for your entire network to be connected to the Internet in order for you to use WSUS. If you have a network segment that is not connected to the Internet, consider deploying WSUS as shown in the "Distributing Updates on an Isolated Segment" illustration below. In this example, you create a WSUS server that is connected to the Internet but isolated from the intranet. After you download updates to this server, you can export the updates to media, hand-carry the media to disconnected WSUS servers, and import the updates.
Exporting and importing is also appropriate for organizations that have high-cost or low-bandwidth links to the Internet. Even with all the bandwidth-saving options described later in this guide, downloading enough updates for all Microsoft products throughout an organization can be bandwidth-intensive. Importing and exporting updates enables organizations to download updates once and distribute by using inexpensive media. See Set Up a Disconnected Network (Import and Export the Updates) for more information about how to export and import updates.
In many organizations, branch offices have low-bandwidth connections to the central office but high-bandwidth connections to the Internet. In this case you may want to configure downstream WSUS servers to get information about which updates to install from the central WSUS server, but download the updates themselves from Microsoft Update. For information about how to set up this kind of configuration, see Advanced Synchronization Options.
Network load balancing increases the reliability and performance of your WSUS network. You can set up multiple WSUS servers that share a single SQL Server 2005 failover cluster, as in the "Network Load Balancing with a SQL Server Failover Cluster" illustration below. (Note that for this configuration you must use a full SQL Server 2005 installation, not the Windows Internal Database installation provided by WSUS.) You can also have all the WSUS servers use a DFS share to store their content. See Appendix C: Configure WSUS for Network Load Balancing for more information about configuring WSUS and SQL Server for network load balancing.
If you have many mobile users who log on to your network from different sites, you may want to use the following configuration to allow them to update their computers from the closest WSUS server. In this configuration, shown in the "Roaming Clients Using Different WSUS Servers" illustration below, there is one WSUS server per region, and each region is a DNS subnet. All clients are pointed to the same WSUS server name, which resolves in each subnet to the nearest WSUS server. See Appendix D: Configure WSUS for Roaming Clients for more information about how to configure DNS to support roaming clients.