Shulou(Shulou.com)06/03 Report--

Background introduction

After such a disturbance in Eternal Blue, customers began to attach importance to system patch updates. Due to the high level of customer confidentiality, the intranet is not allowed to connect to the Internet, and using wsusoffline tools to manually update patches for each server is a large workload, and customers do not have a budget to purchase third-party patch update software, so they try to use WSUS servers to update patches without connecting to the public network.

Environment introduction

Customer servers are in a workgroup environment, and there are two types of servers in the private network: Windows Server 2003R2 and Windows Server 2008R2. WSUS3.0SP1 included in Windows Server 2008R2 is no longer supported, so there are always errors when adding WSUS roles. If you must use Windows Server 2008R2, you need to download WSUS3.0SP2 to Microsoft to complete the construction of WSUS server, so WSUS server chooses to use Windows Server 2012R2 to build.

Operation steps

1. Set up a WSUS server in the public network environment to download the patch pack (the build process is brief). After the build is completed, set the options to update the file and update the language. The language option is to download the operating system patches in those languages. Update files are as follows:

(1) Files can be downloaded to this server only after the update has been reviewed. This option only downloads the source data of the patch pack rather than the patch itself before approval. The advantage is bandwidth savings, while the disadvantage is that the patch package will not be actually downloaded until after approval. Microsoft recommends using this option, which is also the default option.

(2) download the quick installation file. This option is to download the patch package directly to the local area before approval, and then install it after approval. Its advantage is that if the computer in the intranet has installed the old patch package, it will only install the part of the difference between the patch package and the new patch pack, thus alleviating the burden on the intranet network. The disadvantage is that the external network belt consumption is large.

Combined with the actual environment, choose to download the installation file here, it should be noted that the update file and update language option settings of the WSUS server in the intranet must be consistent with the options here. Updating source and proxy servers, products and categories, and synchronization schedule settings can be ignored.

To facilitate downloading, set the automatic approval option to any category, and then start downloading the patch pack.

two。 Download is completed in the specified patch storage path to find the WsusContent directory, the directory is stored in the downloaded patch, you can use a variety of backup software or Xcopy tools for backup, and then to the intranet WSUS server for recovery, be careful not to change the hierarchy under the directory, choose the most original method here to directly copy a copy.

3. The intranet computer on the WSUS server that only copies the WsusContent directory to the private network is still unable to download the patch normally. You also need to use the wsusutil tool included in WSUS to export the source data of the patch room on the public network WSUS server. The tool is located in the C:\ Program Files\ Update Services\ Tools directory. The tool cannot be opened by double-click and can be executed in command line mode. The command format is:

Wsusutil.exe export packagename logfile # packagename is in .cab format, logfile is in .log format, and packagename and logfile names must be exactly the same.

4. Set up a WSUS server in the internal network, and the location of the patch pack should be consistent with that of the external network server, and test the copied WsusContent directory to the intranet WSUS server.

5. Then use the wsusutil tool to import the source data of the public network WSUS server patch pack. Even if the private network WSUS server patch is updated, the source data needs to be updated every time the patch is updated.

6. Open the IIS Manager and confirm the port number used by WSUS

7. Find a computer in the intranet, point the WSUS server address in the group policy to the actual address, and then run gpupdate / force to refresh the group policy.

8. Open the registry of this computer, export the Windows update key value to a reg registry file, send it to other computers in the intranet, double-click the point to the running WSUS server, and the operation is complete.

Supplementary explanation

1. After other computers in the private network run the reg file, the key value of the registry is modified, but the group policy is still not set. At this time, patches can be obtained normally from the WSUS server. It is speculated that the group policy and the registry are not stored in the same location.

two。 After repeated tests, other computers in the intranet can find the WSUS server after running the registry file, but sometimes the registry can be updated immediately, and sometimes the system can return to normal after rebooting after an error occurs. Sometimes repeated restart and refresh group policy always reported this error. The error was checked on the Internet and said it was caused by a network failure, because it was all in the same network environment. It is very strange how to solve this fault. I feel that the occurrence of this fault is very random.

3.WSUS identifies PC by computer name, and if there are two PC with the same computer name in the environment, the later report to the WSUS server will be recorded in the list of all computers in WSUS, although both PC can get the fix pack from the WSUS server.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.