No matter how well it seems that software is written, there is always a need for bug fixes and security patches. In addition, there never seems to be an end to the need for updated drivers and minor feature upgrades. Sometimes it seems that the system administrator's job never ends. Microsoft UpdateThe later versions of Windows included the Windows Update feature, later updated to Microsoft Update. Microsoft Update is used to keep your Windows system and selected components up-to-date by connecting to the Microsoft Update website over the Internet and automatically downloading and installing security fixes, critical updates, and new drivers. These updates are used to resolve known security and stability issues with the Windows operating system. Although relying on Microsoft Update is fine if you have only a few computers, in an enterprise environment, it leaves much to be desired. Consider the following:
Note: Windows Update Although the Windows Update website still exists, the Microsoft Updates website provides the same patches in addition to patches for Microsoft Office and the Microsoft line of server-based applications. Windows Server Update ServicesFortunately, Microsoft has provided the Windows Server Software Update Services (WSUS) to assist the system administrator in managing updates in the small- to medium-sized enterprise environment. Microsoft WSUS is a service that can be installed on an internal Windows 2000 or Windows Server 2003 server that can download all critical updates as they are posted to Microsoft Update. Administrators can also receive email notification when new critical updates have been posted. The client computers and servers can be configured through Group Policy or the Registry to contact the internal WSUS server for updates, instead of going out over the Internet to the Microsoft servers. WSUS is basically an internal version of the Microsoft Update service, with the exception that the network administrator has the option to control which updates get downloaded from Microsoft and which ones get installed on the computers in the environment. WSUS allows administrators to quickly and easily deploy most updates to Windows 2000 or Windows Server 2003 servers as well as desktop computers running Windows 2000 Professional or Windows XP Professional. You can install multiple WSUS servers in your environment, both for load balancing or for test purposes. For example, you can set up a WSUS server to automatically download all the latest updates from Microsoft. After they have been downloaded, you can distribute the updates to test computers to verify compatibility with the existing software. After the updates have been tested, they can be published to the production environment. A basic WSUS configuration is shown in Figure 18.1. In this example, the WSUS server in the headquarters is configured to run a scheduled synchronization with the Microsoft Update website. The administrator then publishes the updates to a group of test computers. After testing has been completed, the approved updates on the HQ server are distributed to the other WSUS clients in the enterprise. Figure 18.1. A basic WSUS configuration, including test computers.This type of configuration is enabled by utilizing Computer Groups. Computer groups allow the administrator to segregate computers in different groups with different deployment rules. In our previous example, the test computers would be in a separate group, and the rest of the computers in the organization would be in a different group. Another example would be to separate servers from workstations. Although most workstations can be patched just about any evening, servers usually work around the clock, so they would need a scheduled maintenance window. You can also utilize a downstream WSUS server, as shown in Figure 18.2. In this configuration, the Upstream WSUS server obtains all the updates from the Microsoft website. The downstream servers then receive the approved updates from the upstream website. This configuration is typically used in organizations that have multiple sites connected by a WAN. Because the downstream WSUS servers don't have to access the Internet, and can only download approved updates from the upstream WSUS server, his gives the administrator more control over the patching process, and reduces the required bandwidth. However, the remote administrators will still be allowed to change some configuration settings, including adding additional computer groups. Figure 18.2. The upstream server approves all updates.Another typical configuration is shown in Figure 18.3. In this configuration, traveling laptop users or VPN clients are assigned to a separate computer group on a designated WSUS server. The users assigned to this group will get their approvals from their assigned WSUS server, but they will obtain their updates directly from the Microsoft Update website. This allows the administrator to control which patches are installed on these machines, but doesn't require the administrator to supply the storage space or the bandwidth required to download the patches. Figure 18.3. Remote clients download directly from Microsoft Update.WSUS requires a SQL database to hold its configuration information and a catalog of the updates. A copy of WMSDE for Windows Server 2003 is included with the WSUS installation and should be used for most installations of WSUS. Unlike the previous versions of the Microsoft SQL Desktop Engine (MSDE), WMSDE is not limited to 2GB. Windows 2000 Server installations can either use MSDE for small installations or SQL Server for larger environments. WSUS allows you two options for storing updateslocal or remote storage. In the local storage option, all approved updates are downloaded from Microsoft Updates and stored on your WSUS server. When your clients need an update, they obtain it from the store on the WSUS server. With Remote Storage, no updates are downloaded to your WSUS server. When the clients need an update, they download the approved updates directly from the Microsoft Updates site. For those remote sites where there isn't an administrator available to manage the WSUS servers, you can install replicas. A WSUS replica server is a mirrored installation of the upstream server. Unlike in the downstream configuration we discussed earlier, you can't add additional Computer Groups to a replica server. Installing Windows Server Update ServicesWSUS is not included with Windows Server 2003; instead, it must be downloaded from the Microsoft website at http://go.microsoft.com/fwlink/?LinkId=47374. The requirements for WSUS for up to 500 clients are as follows:
To install WSUS, use the procedure in Step by Step 18.1. Note: Windows Server 2003 SP1 BITS 2.0 and .NET Framework 1.1 SP1 are included in Windows Server 2003 SP1 and later.
After the installation procedure has completed, you can connect to the SUS Administration page by entering http://servername/WSUSAdmin. From the WSUS Administration page, you can synchronize the server with the Microsoft Update site and configure various options. This initial synchronization is required so that you will be able to view the available updates. By default, the synchronization procedure will display updates for all products in all languages. To save on bandwidth, you can go to the Synchronizations page and select only the products and languages that you want to see. Note: WSUS Administrators The WSUS installation added a new local group, WSUS Administrators. You must be a member of this group or the local Administrators group to configure and manage WSUS. To synchronize WSUS with the Microsoft Windows Update site, use the procedure in Step by Step 18.2.
There is also an option to specify a local WSUS server to synchronize with. Along with this option is a check box that specifies that only approved items should be synchronized. These options are used in the scenario with multiple WSUS servers that we covered earlier. Using these options allows you to download updates only to a single server. The updates are tested and approved by the HQ WSUS server. By configuring your other WSUS servers to point to this central server and to synchronize only approved updates, you can reduce the traffic on your network. Note: Initial Synch The initial WSUS synchronization can potentially take a long time, depending on how many products and languages you are supporting. It's best to schedule the first WSUS synchronization for either overnight or over a weekend. Computer GroupsEarlier in the chapter, we briefly discussed Computer Groups. Computer Groups allow you to target a group of computers with different patches on a different schedule than other groups. This is handy, so that if your development group is in the final stages of readying a release and have "frozen" their test machines, you won't inadvertently install patches that could interfere with their test cycle. By default, all computers are automatically added to the All Computers Group and the Unassigned Computers group. When a computer is assigned to a specific group, it is automatically removed from the Unassigned Computers group. All computers registered with WSUS will remain in the All Computers group until they are removed from the WSUS environment. There are two ways to assign a computer to a group in WSUS:
Unfortunately, you can use one or the other method, but not both. To select the method of assigning computers to groups, use the process in Step by Step 18.3.
Configuring Clients for Automatic UpdatesAfter the updates have been synchronized and approved, and the Computer Groups configured, the updates are ready to be distributed to the clients. To connect to the WSUS server, the client should have the Automatic Update software installed. The correct version is included with the following:
These versions of the Automatic Updates client don't support WSUS, but they will automatically self-update to a version that does. Older versions of the Windows Update client do not support WSUS at all. For older operating systems, you will have to download the updated client from the WSUS web page at http://www.microsoft.com/windowsserversystem/updateservices/default.mspx. By default, the Microsoft Windows client and server operating systems are configured to obtain updates from the Windows Update site; they must be reconfigured to obtain updates from the Microsoft Updates site or a WSUS server. Although you can manually edit the Registry of Windows servers and clients to use a WSUS server, that process is time consuming and error prone. The most efficient way to make this change is via Group Policy. We're going to target your test server that's installed in the Workstations OU using the procedure in Step by Step 18.4.
The other Group Policy options shown back in Figure 18.13 are used to control whether the computer performs an autorestart after it installs an update that requires a reboot or waits until a scheduled reboot. The last option controls whether the updates are automatically installed when the computer is first started after it has missed an update window (for example, if the computer was scheduled for an update at 3:00 a.m. but was turned off). By default, each client computer checks in with the WSUS server at a 22-hour interval with a random offset of 0 to 30 minutes. When the client checks in, it receives any new WSUS configuration settings and saves its individual statistics to the WSUS database. This interval can be changed via Group Policy. Approving UpdatesNot all the updates apply to the computers on your network. Also, there is the possibility that one of the fixes might actually break something in your environment. Fortunately, WSUS can be configured to not make any updates available until after you have approved them. This gives you the opportunity to select which updates you want to distribute and to test them before you release them to your production environment. To approve WSUS updates so that they can be distributed to your clients, use the procedure in Step by Step 18.5.
Managing UpdatesUnfortunately, Microsoft doesn't provide much in the way of tools to manage WSUS. WSUS is intended for the small- to medium-sized enterprise. All the configuration options are available from the web console. For larger enterprises, Microsoft recommends that you implement the System Management Server (SMS) product. SMS provides much more powerful update capabilities, including expanded operating system support, hardware and software inventory, and remote control management capabilities. However, unlike its predecessor, Software Update Services (SUS), WSUS provides four main reports to track the status of updates:
To run a Status of Computers report, follow the procedure in Step by Step 18.6.
In addition to the previously mentioned reports, WSUS can supply compliance reports to track the compliance status of a computerwhether all the required updates have been installed on that computer, and by Updatewhether the update has been installed on all of the computers that require it. Unlike the other reports that are available from the Reports page, these reports are run by selecting the desired computer on the Computers page and the selected update on the Updates page.
|