Configure WSUS for Network Load Balancing
Updated: July 19, 2011
Applies To: Windows Server Update Services, Windows Small Business Server 2011 Standard, Windows Server 2008 R2, Windows Server 2003 with SP2, Windows Server 2008 R2 with SP1
Network load balancing (NLB) is an optional feature of Windows Server that load balances network traffic for high availability. You can install Windows Server Update Services (WSUS) 3.0 SP2 in a network that uses NLB, but this configuration requires that you perform additional steps during WSUS setup.
After you install WSUS and configure a SQL Server database in a failover cluster, you can configure NLB. For more information about how to set up an NLB cluster, see Network Load Balancing.
In this topic:
Install WSUS on the first front-end server and configure it to use a remote database. This process is described in Install the WSUS 3.0 SP2 Server Software Through the User Interface.
This step installs WSUS on additional front-end WSUS servers, but it does not create a WSUS database.
You cannot assign more than four front-end WSUS servers to a single database instance.
Follow the instructions in To run WSUS Setup from the command line to install the WSUS server software on the additional WSUS servers by using the command line. Use the following flags for the command:
WSUS30-KB972455-xxx.exe /q FRONTEND_SETUP=1 SQLINSTANCE_NAME=server\instance CREATE_DATABASE=0
where WSUS30-KB972455-xxx.exe is the executable program that matches the server operating system.
If you use the default SQL Server instance, you must leave the instance name blank.
Each front-end WSUS server should use a proxy server, and should authenticate to the proxy server by using the same user name and password. You can configure these settings by using the WSUS administration console. For more information about how to configure WSUS to use a proxy server, see Configure the proxy server and Change the WSUS proxy server specification using the WSUS Administration Console.
All front-end servers share this information and configuring the proxy server only needs to be done once from any node.
You should create a single shared file location that is available to all of the front-end WSUS servers. You can use a standard network file share and provide redundancy by storing updates on a RAID controller, or you can use a Distributed File System (DFS) share. The domain account of each front-end WSUS server must have Change permissions on the root folder of the file share. That is, if there is a WSUS server installed locally on the computer that has the DFS share, the Network Service account should have change permissions on the root folder. In addition, the user account of the administrator who will run movecontent should have Change permissions.
After you install a WSUS update, check the NTFS file system permissions for the WSUSContent folder. The NTFS file system permissions for the WSUSContent folder may be reset to the default values by the installer.
For more information about how to set permissions on DFS shares, see article 308568 in the Microsoft Knowledge Base.
To access the updates or metadata that reside on the file share, you must configure Internet Information Services (IIS) on the front-end WSUS servers to allow for remote access. For more information, see Configure Internet Information Services in this deployment guide.
You must move the content directories from the first front-end WSUS server to the file share. You do not have to repeat this step for additional front-end WSUS servers.
You must manually update the registry on all machines other than the machine that movecontent is run on. The current storage location can be found or verified in the registry. It is stored in the ContentDir value in the HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup key.
To open a Command Prompt window, click Start, point to All Programs, click Accessories, and then click Command Prompt.
Open the following WSUS tools folder:
cd \Program Files\Update Services\Tools
Type the following command:
wsusutil movecontent Filesharename logfilename
where Filesharename is the name of the file share to which the content should be moved, and logfilename is the name of the log file.
To configure NLB, follow the instructions that are provided in Network Load Balancing Clusters in the Windows Server Technical Library.
You should make sure that at least one WSUS front-end server can synchronize. If the synchronization is successful, proceed to the next step. Otherwise, review the WSUS setup and NLB cluster setup. Correct any problems with the configuration and then retest the synchronization.
You can find instructions for configuring WSUS client computers in Update and Configure the Automatic Updates Client Computer. However, for WSUS on NLB clusters, you should specify the virtual address of the NLB cluster instead of the individual servers. For example, if you set up client computers by using a Group Policy Object or Local Group Policy Object, the setting for the Specify intranet Microsoft update service location setting should be the virtual web address.
If you use a DFS share, be careful when you uninstall WSUS from one, but not all, of the front-end servers. If you allow the WSUS content directory to be deleted, this will affect all the WSUS front-end servers.
For information about upgrading a Network Load Balancing (NLB) cluster, see Upgrading an existing Network Load Balancing Cluster.