Shulou(Shulou.com)06/02 Report--

1. WSUS installation requirements 1. Hardware requirements:

For servers with up to 13000 clients, the following hardware is recommended:

* 4 Core E5-2609 2.1GHz processors

* RAM of 8 GB

2. Software requirements:

To install WSUS using the default options, the following software must be installed on your computer.

* Microsoft Internet Information Services (IIS) 6.0.

* Microsoft.NET Framework 2012 Service Pack 1 for Windows Server 2012 R2.

* Background Intelligent Transfer Service (BITS) 2.0.

3. Disk requirements:

To install WSUS, the file system on the server must meet the following requirements:

* both the system partition and the partition where WSUS is installed must be formatted using the NTFS file system.

* the system partition requires at least 1 GB of free space.

* the volume used by WSUS to store content requires at least 60 GB of free space. It is recommended to reserve 40 GB of space.  

II. Description of the environment

Currently, there is a server for WSUS. The configuration and features are as follows:

WSUS configuration list

Operating system version: Windows Server 2012 R2 Chs

ServerName: CNHZWS01

IP Address: 192.168.1.12

Mask 255.255.255.0

GateWay 192.168.1.1

DNS Server 192.168.1.10 192.168.1.11

System disk (C) size 1TB

The location and size of the PageFile are defined according to the usual definition.

Note:

Domain name: vancen.com

Install the server role

First, we check the configuration of the first service network that has Windows Server 2012 R2 installed, and make sure that the server IP address, subnet mask, and default gateway parameters are as follows

Step 1: configure and modify the IP and DNS addresses of the server

Step 2: modify the WSUS server name and join the service to the VANCEN domain

Step 3: enter a user name and password with domain permissions to join the server to the VANCEN domain

Step 4: prompt the server to join the VANCEN domain successfully

Step 5: restart the server immediately for the application to take effect

Step 6: log in to the server where you plan to install the WSUS server role using the account of the local Administrators group member. In Server Manager, click Dashboard, and then click add roles and Features

Step 7: on the before you start page, click next

Step 8: on the Select installation Type page, verify that the role-based or feature-based installation option is selected, and then click next

Step 9: on the Select Target Server page, select the location of the server (from the server pool or virtual hard disk). After selecting the location, select the server where you want to install the WSUS server role, and then click next

Step 10: select the default server here. If you need to install the role of "windows server Update Service" for other hosts, you can select the host you need here. Click "next" and check "windows server Update Service" here.

Step 11: when this option is checked, the following dialog box will pop up and click "add function".

Step 12: on the Select Features page, leave the default selection, and then click next

Important matters

WSUS requires only the default Web Server role configuration. If you are prompted to configure additional Web Server roles when setting up WSUS, you can safely accept the default values and continue to set WSUS.

Step 13: on the Windows Server Update Services page, click next

Step 14: on the Select role Services page, leave the default selection, and then click next

Step 15: on the content location selection page, type a valid location to store the update, and then click next

The location to store the updates can be the local path of the WSUS, or it can be placed on the UNC share.

Step 16: check the configuration of the web server role IIS. We can keep it by default here. Click next directly.

Step 17: confirm everything you want to install. Click "next" after confirmation.

Step 18: on the installation Progress page, click install Task after Startup, wait until this task is successfully completed, and then click close

In the server manager, verify that there is a notification that reminds you that you need to restart. This may vary depending on the server role installed. If a reboot is required, be sure to restart the server to complete the installation.

Step 19: start the post-installation task

Fourth, use the configuration wizard

After completing the installation of the first-level WSUS server role, the first time you use WSUS, you will go to the WSUS configuration wizard to make a basic setting for WSUS. Of course, this configuration wizard is integrated into WSUS, and you can use the configuration wizard to configure WSUS at any time.

Step 1: in the Server Manager navigation pane, click Dashboard, click tools, and then click Windows Server Update Services.

The step 2:Windows Server Update Services wizard appears on the before you start page, click next.

Step 3: read the instructions on the "join the Microsoft Update and improvement Plan" page to evaluate whether you want to participate. If you want to participate in the program, click next to continue.

On the Select upstream server page, you can choose to synchronize updates with Microsoft updates or other WSUS servers.

If you choose to synchronize from another WSUS server, specify the server name and the port on which the server communicates with the upstream server.

To use SSL, select the use SSL when synchronizing update information check box. The server will use port 443 for synchronization. (ensure that the server and upstream servers support SSL).

If this is a replica server, select the "this is a copy of the upstream server" check box.

Step 4: after selecting the appropriate options for your deployment, click next to continue.

Because I am currently deploying a first-tier WSUS server, I choose to synchronize directly from microsoft.

On the specify proxy server page, select the use proxy server when synchronizing check box, and then type the proxy server name and port number (default is port 80) in the corresponding box.

Important matters

If you are sure that WSUS requires a proxy server to access Internet, you must complete the previous step.

If you want to connect to the proxy server by using specific user credentials, select the use user credentials to connect to the proxy server check box, and then type the user name, domain, and user password in the corresponding box. If you want to enable basic authentication for users connected to the proxy server, select the allow basic authentication (send password in clear text) dialog box.

Step 5: at this point, you have completed the proxy server configuration. Click next to go to the next page, where you can start setting up the synchronization process.

Step 6: on the Connect to Upstream Server page, click start connection.

Step 7: when you connect it, then click next to continue.

An internet link is required here.

On the "Select languages" page, you can select the languages that WSUS will receive updates-all languages or subsets of languages. Selecting a subset of languages will save disk space, but you must select all languages required by all clients of this WSUS server. If you choose to get updates for only specific languages, select "download updates for those languages only", and then select the language you want to update; otherwise, leave the default selection.

Step 8: after selecting the appropriate language for your deployment, click next to continue.

Chinese mainland generally chooses English and simplified Chinese.

If you select the "download only updates for these languages" option, and the server has a downstream WSUS server connected to it, this option will force the downstream server to use only the selected language.

Step 9: the Select products page allows you to specify the products you want to update. Select a product category, such as Windows, or a specific product, such as Windows Server 2008. Selecting a product category selects all products in that category.

Step 10: after selecting the appropriate product options for your deployment, click next to continue.

On the Select Category page, select the update category you want to include. Select all categories or their subsets, and then click next to continue.

Step 11: after selecting the appropriate product options for your deployment, click next to continue.

On the set synchronization schedule page, select to perform the synchronization manually or automatically.

If you choose Manual synchronization, you must start the synchronization process through the WSUS Management console.

If you choose Auto Sync, the WSUS server will perform synchronization at regular intervals.

Set the time for "first synchronization" and set the number of times you want the server to perform "synchronization per day". For example, if you specify that synchronization occurs four times a day, starting at 3:00, synchronization will occur at 3:00, 9:00, 3:00, and 9:00

Step 12: on the finish page, you can start the synchronization immediately by selecting the start initial synchronization dialog box. If you do not select this option, you must use the WSUS Management console to perform the initial synchronization. If you want to read more about other settings, click next, or click finish to finish the wizard and complete the initial WSUS settings.

Step 13: after you click finish, the WSUS Management console appears.

Step 14: click the synchronization view to view the synchronization process as shown in the figure.

Step 15: after the synchronization is complete, as shown in the figure.

After the initial configuration using the WSUS configuration wizard, we will use the WSUS console to further configure the WSUS server.

Group Policy configuration automatic updates

Make an automatic update policy in default domain policy that affects global computers.

Step 1: in the Group Policy Management console (GPMC), browse to the default default domain policy GPO, and then click Edit.

Step 2: in GPMC, expand computer configuration-> policies-> Administrative templates-> Windows components-> Windows updates.

Step 3: in the details pane, double-click configure automatic updates. Here I choose 3-automatically download and notify the installation, and then click OK.

Click enabled, and then click one of the following options under the configure automatic updates settings:

Download notifications and install notifications. This option notifies the logged-in administrative user before you download and install the update.

Automatic download and notification installation. This option automatically starts downloading the update and then notifies the logged-in administrative user before installing the update.

Automatic download and scheduled installation. This option automatically starts downloading the update and then installs the update on the day and time you specify.

Allow local administrators to select settings. This option allows local administrators to select configuration options using automatic updates in the Control Panel. For example, they can choose the scheduled installation time. Local administrators cannot just use automatic updates.

Step 4: in the Windows Update details pane, double-click specify Intranet Microsoft Update Service location.

Step 5: click enabled, and then type the URL of the same Intranet server in the set Intranet Update Service to detect updates box and the set WSUS Statistics Server box for example, in both boxes (where the server name is the name of the WSUS server), type http://servername, and then click OK.

Step 6: when you type the Intranet address of the WSUS server, be sure to specify which port to use. By default, WSUS uses port 8530 for HTTP and port 8531 for HTTPS. For example, if you use HTTP, you should type http://servername:8530.

Can set "automatic update detection frequency", the default is 22 hours, we can adjust the interval according to the actual needs. As shown in the picture.

Step 7: you can enable the scheduled automatic update installation does not restart for the logged-in user's computer, so that when the computer has a logged-in user, whether the update is restarted depends on the user's behavior. the computer will not be forced to restart, as shown in the figure.

Step 8: for some updates that do not interrupt the windows service and do not need to restart the server to take effect, we can configure to enable "allow automatic updates to install now", as shown in the figure.

After the global level group policy is set, we can also configure different automatic update policies for the test combination production group.

Let's configure a custom GPO for the test server group, which takes precedence over the default domain group policy, so all computer clients within the OU of the computer to which the GPO is linked will take precedence to apply this policy.

Step 9: right-click the Test Server Group computer OU, and select create GPO in this domain and link here, as shown in the figure.

Step 10: enter the name of the new GPO, as shown in the figure.

Step 11: then we right-click the newly created GPO and select Edit, as shown in the figure.

We can then set a different automatic update policy for the GPO, which will be applied by all computer OU linked to this policy.

Generally speaking: the server and client of the test environment we can configure automatic download notification installation or automatic download plan installation, for the production environment client we can set automatic download and plan installation, for the production server group, if you need to manually control the patching behavior and restart time, we can configure automatic download and notify the installation, depending on the requirements.

Step 12: the following figure shows the automatic download and planned installation strategy I set for the production client computer group.

After you set the policy, the client computer appears on the computers page in the WSUS Management console a few minutes later. For client computers with domain-based Group Policy objects, Group Policy will take approximately 20 minutes to apply the new policy settings to the client computers. By default, Group Policy is updated every 90 minutes in the background, and the time is randomly adjusted from 0 to 30 minutes. If you want to update group policy faster, open the Command prompt window on the client computer and type gpupdate / force.

6. WSUS view status report

By default, the status report cannot be viewed in the WSUS console. If you want to view the status report normally, you need some plug-ins and features to support it. Let's look at the whole implementation process.

Step 1: first, we randomly right-click a client and select "status report", as shown in the figure.

Step 2: we will be prompted that this feature requires the use of microsoft report viewer 2008 redistributable components, as shown in the figure.

Step 3: we can click on the link in the image above and open the website of microsoft to download, as shown in the figure.

Step 4: then let's install this component, as shown in the figure.

Step 5: during the installation process, prompt us to need the support of. Net framework, as shown in the figure.

Step 6: let's pause the installation, go back to adding roles and features, and install the features of .netframework 3.5.1, as shown in the figure.

Step 7: then we continue with the installation of the components, as shown in the figure.

Step 8: after the above installation is completed, you can turn on the status report function smoothly, as shown in the figure.

7. Configuration of common console options for WSUS

1. In the WSUS console, many options are provided by default, which provide a good way for us to better manage and use WSUS. First of all, let's take a look at the computer cleanup Wizard. Generally, we can run the computer cleanup Wizard once a month to clean up unwanted updates, free disk space, and so on. The specific way the cleanup wizard opens is as follows.

The cleanup operations that can be done after opening are as follows. We can choose all by default, or we can make custom choices as needed. This cleanup wizard is useful if there are a large number of computers in the company's environment.

2. Another feature is that we can configure email notifications. Select options, email Notification.

In the general tab of email notification, we make the settings shown in the following figure.

You can see notifications that new updates and status reports can be sent through WSUS. You can configure multiple recipients and configure synchronization frequency and time information.

On the email server tab, you can configure email server information, sender information, and SMTP authentication information to receive notifications.

Click "Test" in the image above, and we are prompted to save it before testing, and select "Yes".

Sending test email, as shown in the figure.

We now open QQ Mail's inbox and see the test email we just sent.

The patch server deployment and configuration is complete.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.