Sometimes you may find that it’s necessary to move your WSUS server from one machine to another. If this is you then here are the steps to get this done:
1. Install WSUS on the new Server just as you had installed before.
For more information on installing WSUS please check the following link for more information: http://technet.microsoft.com/en-in/library/cc708445(en-us).aspx
2. Match the Advanced Options on the old WSUS Server & the new WSUS Server
Ensure that the advanced synchronization options for express installation files and languages on the old server match the settings on the new server by following the steps below:
- In the WSUS console of the old WSUS server, click the Options tab, and then click Advanced in the Update Files and Languages section.
- In the Advanced Synchronization Settings dialog box, check the status of the settings for Download express installation files and Languages options.
- In the WSUS console of the new server, click the Options tab, and then click Advanced in the Update Files and Languages section.
- In the Advanced Synchronization Settings dialog box, make sure the settings for Download express installation files and Languages options match the selections on the old server.
3. Copy Updates from File System of the old WSUS Server to the new WSUS server*
To back up updates from file system of old WSUS server to a file, follow these steps:
- On your old WSUS server, click Start, and then click Run.
- In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this wizard or click the link to work in Advanced Mode and use the following steps.
- Click the Backup tab, and then specify the folder where updates are stored on the old WSUS server. By default, WSUS stores updates at WSUSInstallationDrive:\WSUS\WSUSContent\.
- In Backup media or file name, type a path and file name for the backup (.bkf) file.
- Click Start Backup. The Backup Job Information dialog box appears.
- Click Advanced. Under Backup Type, click Incremental.
- From the Backup Job Information dialog box, click Start Backup to start the backup operation.
- Once completed, move the backup file you just created to the new WSUS server.
To restore updates from a file to the file system of the new server, follow these steps:
- On your new WSUS server, click Start, and then click Run.
- In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this wizard or click the link to work in Advanced Mode and use the following steps.
- Click the Restore and Manage Media tab, and select the backup file you created on the old WSUS server. If the file does not appear, right-click File, and then click Catalog File to add the location of the file.
- In Restore files to, click Alternate location. This option preserves the folder structure of the updates; all folders and subfolders will appear in the folder you designate. You must maintain the directory structure for all folders under \WSUSContent.
- Under Alternate location, specify the folder where updates are stored on the new WSUS server. By default, WSUS stores updates at WSUSInstallationDrive:\WSUS\WSUSContent\. Updates must appear in the folder on the new WSUS server designated to hold updates; this is typically done during installation.
- Click Start Restore. When the Confirm Restore dialog box appears, click OK to start the restore operation.
4. Copy Metadata from the Database on the old WSUS Server to the new WSUS Server **
Note: The WSUS Setup program copies WSUSutil.exe to the file system of the WSUS server during installation. You must be a member of the local Administrators group on the WSUS server to export or import metadata; both operations can only be run from the WSUS server itself and during the import or export process, the Update Service is shut down.
To export metadata from the database of the old Microsoft Windows Server Update Services Server, follow these steps:
- At a command prompt on the old Microsoft Windows Server Update Services Server, navigate to the folder that contains WSUSutil.exe. (usually located at c:\Program Files\ Update Services\tools\).
- Type the following: wsusutil.exe export packagename logfile ...(For example: wsusutil.exe export export.cab export.log) The package (.cab file) and log file name must be unique. WSUSutil.exe creates these two files as it exports metadata from the WSUS database.
- Move the export package you just created to the new Microsoft Windows Server Update Services Server.
To import metadata into the database of the new Microsoft Windows Server Update Services Server, follow these steps:.
Note: It can take from 3 to 4 hours for the database to validate content that has just been imported. Please be patient.
- At a command prompt on the new WSUS server, navigate to the directory that contains WSUSutil.exe. Type the following: wsusutil.exe import packagename logfile (For example: wsusutil.exe import export.cab import.log).
- WSUSutil.exe imports the metadata from the old WSUS server and creates a log file of the operation.
5. Point your Clients to the new WSUS Server.
Next we’ll need to change the Group policy and make it point top the new server. To redirect Automatic Updates to a WSUS server, follow these steps:
- In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
- In the details pane, click Specify Intranet Microsoft update service location.
- Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. With the new server details and port For example, type http(s)://newservername :Port in both boxes.
Note: For more information check http://technet.microsoft.com/en-us/library/cc720539.aspx
That’s it!
*Important:
The initial settings for access control lists differ between Windows 2000 Server and Windows Server 2003. If you are copying content from Windows 2000 Server to Windows Server 2003, you have to manually add the Network Service group to the access control list for the folder where updates are stored. Give the Network Service group Full Control.
**Important:
Never import exported data from a source that you do not trust. Importing content from a source you do not trust might compromise the security of your WSUS server.
Sudheesh Narayanaswamy | Support Engineer
We are planning on releasing two updates related to the .NET Framework 3.5 Service Pack 1. Both of these address customer feedback problems that have been reported back to us. To find out what they are see Upcoming Updates for .NET Framework 3.5 Service Pack 1 at the WSUS Product Team blog.
J.C. Hornbeck | Manageability Knowledge Engineer
I see that the WSUS product team just made an announcement about the FCS update re-offer problem and it’s resolution. I have the meat of it below as well as a link to the source:
Shortly after the release of our previously announced update for Forefront Client Security, we received reports of a previously released update for FCS (Client Update for Microsoft Forefront Client Security (1.0.1703.0)) constantly re-offering. The Forefront team has tested and released a revision to this older update to resolve this re-offer problem, and this revision is now live for WSUS servers.
Machines managed by WSUS servers will need to:
- Synchronize their WSUS server to download the latest revision
- Approve the latest revision
- Wait for the client to re-scan against the WSUS server to receive the corrected update revision.
Note: Step 2 is not required if you have configured your WSUS server to automatically approve revisions.
For more information see FCS update re-offer problem resolved.
J.C. Hornbeck | Manageability Knowledge Engineer
In case you somehow caught a sudden case of amnesia and forgot that we were releasing the June security bulletins yesterday you’re in luck – The Microsoft Security Response Center team just posted details on everything you need to know about what the updates do and considerations to take into account when deploying them. I have their brief intro and a link below:
========
Today we released 10 new security bulletins. 6 of those affect Windows with two rated as critical, three rated as important and one as moderate. The remaining four all have an aggregate rating of critical and affect Internet Explorer, Microsoft Office Word, Microsoft Office Excel and Microsoft Works Converters.
In addition to these new bulletins, we are releasing the remaining updates for MS09-017 which now includes updates for Microsoft Office for Mac (versions 2004 and 2008) and Microsoft Works 8.5 and 9.0. You may recall that we released this bulletin last month with updates only for versions of PowerPoint that run on Windows. Please refer to last month’s bulletin blog post for more information.
To continue reading see June 2009 Bulletin Release.
J.C. Hornbeck | Manageability Knowledge Engineer
Just a heads up that tomorrow, June 9 at 10:00 a.m. Pacific, we will be releasing a total of 10 security bulletins consisting of the following:
- Six updates affecting Windows. Two Critical, three Important, and one Moderate.
- One Critical update affecting Internet Explorer.
- One Critical update affecting Word.
- One Critical update affecting Excel.
- One Critical update affecting Office.
For details on the bulletins see June 2009 Advance Notification at the MSRC blog.
J.C. Hornbeck | Manageability Knowledge Engineer
Just and FYI that we’ve released Microsoft Security Advisory 971778. This discusses a new vulnerability in Microsoft DirectShow affecting Windows 2000, Windows XP and Windows Server 2003 that is under limited attack. The advisory outlines information about the vulnerability and steps customers can take to protect themselves while we’re working on a security update to address the issue.
Our investigation has shown that the vulnerable code was removed as part of our work building Windows Vista. This means that Windows Vista and versions of Windows since Windows Vista (Windows Server 2008, Windows 7) are not vulnerable.
For more information see http://blogs.technet.com/msrc/archive/2009/05/28/microsoft-security-advisory-971778-vulnerability-in-microsoft-directshow-released.aspx.
J.C. Hornbeck | Manageability Knowledge Engineer
Just an FYI that the WSUS product team announced the release of 2 new categories for “Office Communicator Server and Office Communicator”. The two new categories are:
Office Communications Server 2007 R2: The Office Communications Server 2007 R2 product category will include updates for the Microsoft® Office Communications Server 2007 R2, including service packs, critical and security updates.
Office Communicator 2007 R2: The Office Communicator 2007 R2 product category will include updates for the Microsoft® Office Communicator 2007 R2 , including service packs, critical and security updates.
For more information see http://blogs.technet.com/wsus/archive/2009/05/27/new-product-categories-for-office-communicator-r2-releases.aspx.
J.C. Hornbeck | Manageability Knowledge Engineer
Here’s another great post on troubleshooting updates put out by our very own Brent Dunsire. This was originally targeted towards the update client agent in ConfigMgr 2007 but I figure there’s enough overlap that you might find it helpful as well. Enjoy!
========
Hello System Center,
In this post I'd like to share information gleaned from recent support incidents regarding the Configuration Manager 2007 Software Updates Client Agent. The goal for this post is to help by providing details on common problems driving calls to support.
To lay some groundwork, the Software Updates Client Agent is heavily dependent upon the default software update components on the client system. Thus the Software Updates Client Agent often faces similar challenges as seen by Windows Software Updates Services deployments.
Online Content:
The online TechNet library for Configuration Manager has a cornucopia of data covering Software Update Client Agents and their configurations and so please explore relevant links at need.
Before beginning, ensure you’re familiar with the topic: About the Software Updates Client Agent http://technet.microsoft.com/en-us/library/bb694104.aspx
Some of the common problems related to the Software Update Client Agent:
Windows Update Agent is Misdirected
This is an all too common scenario which has a consistent trigger resulting in settings on the client regarding its Active SUP being incorrect.
The Symptom: With regards to patching, your client goes AWOL. In other words, yesterday your client was reporting for duty and downloading updates just fine, but today, while it may still report inventory and execute software deployments, it's no longer taking software update related actions. At least not from your Site.
Note: This is observed both when clients attempt the scan action as well as after a successful scan when trying to pull down updates.
The Trigger: If this sounds like your situation then take a look at the client’s effective Policy. The one common driver we've seen is application of a Group Policy which overwrites the clients current policy, such as it’s assigned and active SUP. We also see incorrect ports, server names, and related settings passed to Configuration Manager clients by policy. Where do these come from? Good question! They're not from the Group Policy fairy. Investigate any domain or related policies that may have been configured or orphaned and are being applied to the clients. It's also possible that the client has local Group Policy disabled or an error was fat fingered into the expected Policy when configured. Find more here: Troubleshooting Group Policy Configuration for Software Updates
Windows Update Agent connection to the SUP blocked on the network
Another common scenario is a configuration that blocks the client from communicating across the network. This problem is seen elsewhere in Configuration Manager but receives significant attention here as the goal of keeping clients patched is very visible.
Note: Like the first issue of policy delivered settings, network connectivity blocks are observed both when clients attempt the scan action as well as after a successful scan when trying to pull down updates.
Two key flavors are noted:
1. Proxy Servers - Blocking traffic in a variety of ways.
2. Ports blocked - On client firewalls, on the SUP server, and at points in-between on the network.
Also keep in mind the traffic involved in Patch Management can quickly run afoul of settings intended to mitigate floods. The following link is a Forums post regarding SUP to MU Sync's but the issue is also relevant for this topic:
http://social.technet.microsoft.com/Forums/en-US/configmgrsum/thread/d63bfbce-35cc-4e60-81d2-554f7527a72b/
Find more here: Ports Used in Software Updates
Assorted Functional Problems on the Client
1. Registry Settings related to WUA Options. Commonly known as AUOptions, these are often delivered via a Group Policy, or set on clients by other means. These are worth noting as they could drive unexpected client behaviors. These are usually set when WSUS has been directly managing a client and not usually found when managed by Configuration Manager.
Find more here: WSUS Client-side Configuration Options: http://technet.microsoft.com/en-us/library/cc526860.aspx
2. Anti-Virus Software. As in other areas of the product, we can see operational collisions with legitimate patching actions. This can block or slow down the process.
3. BITS on the client. Often impacted by our friend Group Policy, these may not be directly associated with patch configurations. And sometimes BITS just isn't functional.
Assorted Patch Installation Experience Issues
Many support issues are opened which are not due to direct failures but due to unanticipated behavior or experiences on the client - usually related to a configurable option. These include:
1. Failed Patch Installations - Sometimes a client doesn't have software that qualifies to be patched despite Administrative expectations. This can happen when a vulnerable file is no longer present or has been updated by another process. This has also been seen where there is confusion over the vulnerable product or product version involved. This can be complex to puzzle out and is further muddled by competing scan solutions which can evaluate compliance using different criteria with different results.
2. Unexpected Patch Installations - It happens: A deployment targets the wrong collection full of systems not intended to be patched or patched with the configured settings. When a patch installs on a system you didn't expect, check the targeted collections and related details. Let’s avoid the uncomfortable silence on the support phone when the incorrectly targeted collection action is identified. Awkward!
3. Pop-up’s and Notifications - Finally, several issues are opened which are tied to the Pop-up behaviors as seen on clients:
a) Requests to enable Software Updates on clients - triggered by the Windows Security Center. This is external to Configuration Manager but if your users are reporting this you may wish to ensure policy is not disabling Automatic Updates.
b) Enforcement of Mandatory Deployments (Deadlines). Patch installation times, and what behavior can be expected, is a matter of configuration. Enforced deadlines along with the problem noted below make for very unhappy end users.
c) Deployments Hidden from end users. Misconfigurations of deployments, tied with the deadlines mentioned above, often result in the 'patched and rebooted without warning' situation. Good times.
Find more here:
About the Software Updates End User Experience
Computer Client Agent Properties
Software Updates Client Agent Properties: Update Installation Tab
How to Hide Deployments on Client Computers
General Information:
The following are links you may find useful when approaching Software Update Client Configuration issues and strategies regarding WSUS specific details for the Update Agent:
Configure Automatic Updates in a Non–Active Directory Environment: http://technet.microsoft.com/en-us/library/cc708449.aspx
Brent Dunsire
Product Quality Program Manager
System Center Configuration Manager 2007
Looks like Cecilia Cole announced the availability of the WSUS 3.0 Service Pack 2 Release Candidate over on the WSUS product team blog this morning. All you have to do is sign in to your Connect account or sign up now in order to participate in the RC program, and it’s available to all registered and authenticated users of Connect.
For more details as well as all the new stuff available in the SP2 update see WSUS 3.0 SP2 RC Program now available on Microsoft Connect!.
Enjoy!
J.C. Hornbeck | Manageability Knowledge Engineer
Here’s a great article that our Product Quality Program Manager for Configuration Manager recently posted to our ConfigMgr support team blog. It mainly has to do with issues you might see running WSUS with ConfigMgr 2007 but I figured there might be some overlap so I thought a post here would be helpful as well:
========
Hello System Center,
In this post I'd like to share information gleaned from a quarters worth of support incidents as regards Configuration Manager 2007 Software Update Points configuration and operations. The goal is for this post to help by providing details on common problems driving calls to support and is focused on the area involving the SUP operations.
It is worth noting that Windows Software Update Server (WSUS) is a key dependency for the Software Update Point (SUP). When WSUS isn't happy, the SUP is also going to have a bad day... Along with this it’s crucial to allow WSUS to be configured by Configuration Manager - as independent configuration of the WSUS Server usually ends in tears, or at least an unruly conflict.
Online Content:
The online TechNet library for Configuration Manager has a plethora of topics covering Software Update Point (SUP) configurations so please explore the relevant links at need.
Before beginning, ensure your familiar with the core topics: About the Software Update Point http://technet.microsoft.com/en-us/library/bb632674.aspx
Some of the common problems found with Software Update Points:
WSUS Dependencies
Two dependencies in WSUS loom large for Configuration Manager and lead the way for call drivers in this area. Being aware of these two issues might save you time and suffering down the line. I will also note that while not yet released (and thus subject to change) WSUS 3.0 SP2 should provide relief from both of the following problems. Please keep in mind that until WSUS 3.0 SP2 is released, tested with, and supported for use by Configuration Manager, it may introduce problems which cannot be anticipated.
1. Issue per KB 954960. This first common problem is an issue which results in some clients failing to pull down updates from the WSUS Server (SUP). This problem is documented in KB 954960 and occurs due to a recent revision to a Microsoft Office 2003 Service Pack 1 (SP1) update that causes some WSUS 3.0 servers to incorrectly synchronize the revised update with the update’s approvals. When the affected client computers communicate with such a server, the Web service is unable to process the approvals. Therefore, the detection is unsuccessful.
Resolution: The WSUS KB 954960 article provides a download link for the update directly.
2. WSUS Server Uninstalls. Continuing to drive support calls is the problem where the WSUS Server underlying the SUP is found to have been deinstalled.. Forums posts correlate this problem with Server Reboots as well as being linked to SMS Site Backup operations. What is understood is this occurs when WSUS is installed on the Site Server, and an MSI repair call is made to WSUS which fails.
While there is no current fix for this problem it is expected to be resolved by WSUS 3.0 SP2 - which is still in beta at this time. Fortunately there are two widely discussed workarounds to be found on the forums which should help:
Workarounds:
· Move the WSUS server off of the Configuration Manager Site server. Note: To date this issue has only been confirmed when WSUS and Configuration Manager are installed on the same machine.
· A manual registry edit can be implemented to prevent the WSUS repair from launching. For more on this please reference various forums postings such as this one: http://social.technet.microsoft.com/Forums/en-US/configmgrsum/thread/ec73565a-93df-48d6-b411-35ffec7d25e4/
Synchronization with Microsoft Updates
When the SUP fails to sync with Microsoft Updates the support hotline rings. There is really only one flavor of problem seen with regularity, so please check this out and potentially save yourself some coin.
Note: This same problem impacts Upstream/Downstream and related Server Sync operations.
1. Port and Proxy Configurations and Authentication. Whether the proxy is hardware, software, on the SUP or on the network, the results are the same. Incorrect configurations equal a sync failure. This includes omitting a proxy, defining one when not needed, WPAD configurations, as well as incorrect authentication, filtering, or port details. It’s recommended you work with your Networking Team to identify any proxy configurations which might exist. I regret that tools and approaches to investigating this type of issue are beyond the scope of this blog. Find more here:
Configuration Manager SUP Configurations
When external dependencies are in hand the next common call driver involves configuration choices for the Software Update Point. These are common enough to represent an ongoing class of issues and to be worth identifying here.
1. Active SUP - With all the configuration details necessary it's not uncommon to overlook defining an Active SUP. Fortunately it's quick and easy to do. Find more here:
2. Ports on the SUP - Bringing up the tail end of common issues is the configuration of the SUP Ports. This is a simple task yet is often overlooked and not validated. It's easy to correct when incorrect as well. If your SUP is involved in a problem, please make this simple check which may be part of the puzzle. Find more here:
General Information:
The following are resources you may find of use when approaching Software Update Pont issues and strategies:
Super Flows for SUP Sync: http://www.microsoft.com/downloads/details.aspx?FamilyID=d509a9f4-e397-4d0a-89bb-fa3d68b9e8be&DisplayLang=en
Software Update related TechNet Forums: http://social.technet.microsoft.com/Forums/en-US/configmgrsum/threads/
WSUS Homepage on TechNet: http://technet.microsoft.com/en-us/wsus/default.aspx
WSUS Team Blog: http://blogs.technet.com/wsus/default.aspx
Brent Dunsire
Product Quality Program Manager
System Center Configuration Manager 2007
Just an FYI that earlier today the WSUS product team officially announced the new Live Search product family. I have a brief intro and a link below:
========
Hello WSUS Admins,
Shortly we will be publishing a new top level category (product family) for WSUS – Live Search. The Live Search product family will include updates for all Live Search products.
To continue reading visit New Product Family - Live Search
J.C. Hornbeck | Manageability Knowledge Engineer
Looks like the Microsoft Update Product Team blog just announced that Service Pack 2 for Windows Vista and Windows Server 2008 is scheduled to come to WSUS in the next couple weeks. I don’t want to steal all of their thunder but I have their intro and a link below:
========
Hi All,
Just a heads up to prepare for Windows Vista and Windows Server 2008 Service Pack 2. It will be available in the coming weeks on the Download Center (DLC) and also through Windows Update and WSUS. On April 28th, we announced the Release to Manufacturing (RTM) of Service Pack 2 (SP2) for Windows Vista and Windows Server 2008. SP2 includes all updates that were released since SP1. It also includes support for new types of hardware and other technology improvements. For more information on the changes with SP2, see the notable changes document on TechNet.
To continue reading see Get ready for Vista and Win2k8 SP2!
J.C. Hornbeck | Manageability Knowledge Engineer
Many times here in the WSUS product support group we get calls that boil down to some sort of issue with the client. Maybe a DLL is no longer registered for some reason, or maybe the proxy isn’t configured, who knows. Well what if I told you there was an easy way to repair almost any common Windows Update client configuration issue with just a few clicks of your mouse?
Well today you can do this thanks to one of our new Microsoft Fix It automated solutions. With just a few clicks you can reset the Windows Update client and make it work like new. To check this out for yourself visit KB971058: How do I reset the Windows Update settings? and click on the Fix It button:
I won’t go into all the gory details about what this cool Fix It does as you can read that directly from the source, but the next time you think you may have a problem with one of your Windows Update clients you might give this a shot. You never know, it just might save you a couple hours that would otherwise be better spent playing Server Quest.
J.C. Hornbeck | Manageability Knowledge Engineer
Actually this was last evening but in case you missed it here are the details from the MSRC blog:
This advisory contains information regarding public reports of a vulnerability in Microsoft Internet Information Services (IIS) that could allow Elevation of Privilege. Products affected are IIS 5.0, IIS 5.1, and IIS 6.0. The advisory contains guidance and workarounds that customers can use to help protect themselves. We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information.
At this time, we are not aware of any known attacks that attempt to use this vulnerability.
For more information see Microsoft Security Advisory 971492.
J.C. Hornbeck | Manageability Knowledge Engineer
In case you missed it on Friday, the folks over at the MSRC blog posted their webcast Question and Answer session to the web. In the May 2009 security bulletin webcast they addressed several questions relating to MS09-017 in addition to questions about WSUS and MBSA. For those questions that came in after they concluded the webcast, they provided answers in the published Q&A which you can find here:
Security Bulletin Webcast Video, Questions and Answers – May 2009
Enjoy!
J.C. Hornbeck | Manageability Knowledge Engineer
