Using SUS to Manage a Software Update Infrastructure

System administrators need to check the Windows Update Web site frequently to obtain the latest security patches and operating system stability fixes. The Windows Update site automates the process by scanning your hard drive for previous installed patches before displaying a list of the latest recommended patches. Administrators, however, must still download and test the latest patches before manually distributing and applying them.

Traditional enterprise software tools such as Microsoft's Systems Management Server (SMS) are also used to update clients ' computers. If you're using electronic software distribution solutions for complete software management, Microsoft recommends that you continue to do so.

Many companies implement policies to prevent users from browsing the Internet for updates. The Software Update Service (SUS) provides a solution to the problem of managing and deploying Windows patches by dynamic notification of critical updates at scheduled times to Windows client computers. Updates can be tested by the administrator and then scheduled to automatically update selected client computers.

SUS is installed on a Windows 2000 Server (SP2 or later) or Windows Server 2003 inside the company's firewall. After it's installed, the SUS server downloads all critical updates and security roll-ups when they're posted to the Windows Update Web site. The administrator also has the option of receiving email notification when new updates are posted.

SUS contains the following features:

• Software Update Services Server The SUS server on your internal intranet synchronizes with the Windows Update Web site whenever new critical updates for Windows 2000, Windows 2003, or Windows XP are available. The synchronization can be performed manually by the administrator or automatically. After all updates are downloaded to your SUS server, you can test and decide which updates you want to publish to the client computers. The SUS server is supported for Windows 2000 Server (SP2 or later) and the Windows Server 2003 family.

• Client Automatic Updates This is the client component that is usually configured to connect to your SUS server for updates. Administrators control which clients connect and can also schedule when to deploy the critical updates, either manually or by using Active Directory Service Group Policy. The Automatic Updates client software is supported for Windows 2000 Server (SP2 or later), Windows Server 2003, Windows 2000 Professional (SP2 or later), and Windows XP Professional and Home Editions.

The Automatic Updates client software is included with Windows 2000 Service Pack 3, Windows XP Service Pack 1, and the Windows Server 2003 family of operating systems. Other clients can obtain the Automatic Updates client at http://www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp

Installing and Configuring SUS on a Server

The minimum configuration requirements are as follows :

• Pentium III 700MHz or higher processor

• 512MB of RAM

• 6GB of free hard disk space

• Internet Explorer, version 5.5 or higher

• Internet Information Server installed

Perform the following steps to install SUS with default settings:

1. Download the SUS Package Using Internet Explorer version 5.5 or higher, browse to the following Web site and download the Software Update Services setup package from the SUS page: http://www.microsoft.com/downloads/details.aspx?FamilyId=A7AA96E4-6E41-4F54-972C-AE66A4E4BF6C&displaylang=en.

2. Install SUS SP1 Double-click the SUS10sp1.exe file and click Next on the Welcome screen of the SUS Setup Wizard. Read and accept the End User License Agreement and click Next.

3. Select Typical if you want to have all the defaults applied or select Custom to configure the SUS options now. Select Custom and click the Next button.

4. Choose file locations You can store the updates locally or have clients update their files from a Microsoft Windows Update Server. In the Update Storage section, select the radio button Save the Updates to This Local Folder (by default, C:\SUS\content ) and then click Next.

5. Language settings By default, the All Available Languages radio button is selected, which results in more than 600MB of updates. If you don't need additional languages, select English Only (about 150MB of updates) or the Specific Languages radio button. Select the English Only button and click Next (see Figure 4.1).

   Figure 4.1. You can conserve disk space by specifying a language on the Language Settings screen.

   

6. Handing new versions of previously approved updates You can manually or automatically approve new versions. Select the Automatically Approve New Versions of Previously Approved Updates radio button and click Next to continue.

7. SUS installs and applies the IIS lockdown tool to Windows 2000 SP2 Server, Advanced Server and earlier versions. Note the IIS lockdown tool is included with Windows 2000 Server (SP3 and later) and the Windows Server 2003 family.

8. Click the Finish button to complete the installation. SUS setup adds a Start menu shortcut in the Administrative Tools folder and opens the SUS administration Web site in Internet Explorer at http:// <yourservername> /SUSAdmin .

You must be a local administrator on the SUS Server to install and view the Administration Web page. If you try to connect to the Administration Web site with a version of IE older than version 5.5, you'll see an error page reminding you to upgrade to IE 5.5 or greater. If your network uses a proxy server to connect to the Internet, configure your proxy server settings on the SUS Administration Web page under the Select a Proxy Server Configuration section.

Configuring Client Automatic Updates

To use the SUS server for updates, client computers must be running the updated Automatic Updates client. Windows 2000 Professional and Server (SP2 or earlier), and Windows XP Home and Professional clients must update their operating system to use SUS. The update is available at http://www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp.

The administrator can configure Windows XP or Windows 2000 automatic client updates either by using the Automatic Updates tab in the System Properties dialog box of the System applet in the Control Panel, or by connecting to a wizard after waiting at least 24 hours after connectivity to the update service has been established. The System Properties Automatic Updates tab configuration options are shown in Figure 4.2.

The following options are used to control how updates are applied:

• Notify before updates are downloaded and notify again before the updates are installed

• Download the updates automatically and notify before the updates are installed

• Download the updates automatically and install the updates based on a specified schedule

Using Group Policy to Configure SUS Clients

Using Group Policy is the preferred way of applying updates to your clients. Policies can also be configured using Windows NT 4 System Policy or by manually setting Registry keys.

Remember that Active Directory (AD) Group Policy settings always take precedence over Local Group Policies or user-defined options.

To set up a Group Policy using Active Directory installed on Windows 2000 or Windows Server 2003, perform the following steps:

1. Click Start, All Programs, Administrative Tools, Active Directory Users and Computers to open the Active Directory Users and Computers MMC interface.

2. Right-click the organizational unit (OU) or the domain where you want to create the policy and then click Properties.

3. Click the Group Policy tab and then click New. Type a name for your policy, and then click the Edit button. The Group Policy editor opens.

4. Navigate to and expand the computer configuration folder. Right-click Administrative Templates, choose Add/Remove Templates, and then click Add.

5. In the Policy Templates dialog box, select the wuau.adm template and click the Open button. Verify your template has been added and then close the Add/Remove Templates dialog box. Steps 4 and 5 are not necessary to perform on a Windows Server 2003 server because wuau.adm is already installed by default.

6. Under Computer Configuration, expand the Administrative Templates folder, expand the Windows Components folder, and then select the Windows Update folder.

7. In the right pane, four policies are displayed that you can configure. Configure Automatic Updates, Specify Intranet Microsoft Updates Service Location, Reschedule Automatic Updates Scheduled Installations, and No Auto-Restart for Scheduled Automatic Updates Installations.

8. Double-click Configure Automatic Updates and select the Enabled option radio button.

9. In the Configure Automatic Update section, select one of the following options from the drop-down list box:

   • Notify for download and notify for install

   • Auto-download and notify for install (default setting)

   • Auto-download and schedule the install

10. When you finish, click the OK button.

11. Next, in the right pane, double-click Specify Intranet Microsoft Updates Service Location and select the Enabled option radio button as shown in Figure 4.3.

    Figure 4.3. You can enable automatic updates via the Specify Intranet Microsoft Updates Service Location Properties screen.

    

12. To specify a location for the SUS server that your Windows clients will be redirected to, type the URL in the Set the Intranet Update Service for Detecting Updates text box. Click the OK button when complete.

Managing a Software Update Infrastructure

Common administrative tasks for managing SUS include synchronizing content, approving updates and timing issues, and reviewing server actions and server health. To synchronize your SUS server with the Microsoft Update Services, perform the following steps:

1. On the navigation bar of the SUS administrator Web page, click Synchronize Server.

2. Click Synchronize Now. After synchronization completes, a list of updates appears on the Approve Update page.

To set up automatic synchronization, click Synchronize Server in the navigation bar and then click the Synchronize Now button. Updates start downloading with a progress bar displayed as shown in Figure 4.4. When downloads have completed, you'll receive a notification that your SUS server has successfully synchronized with the Microsoft Windows Update server. Click the OK button to confirm.

Next, click the Synchronization Schedule button. To approve updates for deploying to your computers, click Approve Updates Server in the navigation bar, select the updates you want to deploy, and then click Approve. Every 22 hours or so, your targeted client computers will poll the SUS server for approved updates to install.

If you subsequently unapprove an update after it has been installed on client computers, it does not automatically uninstall from the client.

A synchronizing log and the approval log are provided for review. The synchronizing log maintains and keeps track of your content synchronizations. The approval log tracks both approved and unapproved contents. Both of these logs can be accessed from the SUS administration Web page navigation pane.

Backing Up and Restoring an SUS Server

To restore a fully functional SUS server in the event of an SUS failure, you need to back up the administration site SUS directory that contains the content, the Web site directory that the administration site was created in, and the Internet Information Server metabase. Open the IIS MMC Snap-in console and perform the following actions to back up the IIS metabase:

1. From the Action menu, select All Tasks, and then Backup/Restore Configuration.

2. Click Create Backup in the Configuration Backup/Restore dialog box, type a name for the backup, and then click OK.

3. Verify that your backup is listed and then click Close to close the Configuration Backup/Restore dialog box and exit IIS Manager.

4. Run NTBackup (Start, All Programs, Accessories, System Tools, Backup) and in the left pane under Inetpub, click to select the wwwroot (default Web site) and the SUS (system content) folder. Next, navigate to \WINDOWS\system32\inetsrv\Metaback folder and select the backup of the IIS metabase you created and saved.

5. Click Start Backup. When the backup completes, the Backup Progress dialog box displays with completed results.

To restore a failed SUS server, perform the following steps:

1. Disconnect the server from the network and perform a clean install of Windows Server 2003, making sure to give the server the same computer name it originally had.

2. Make sure that you install the same IIS components as installed originally.

3. Apply the latest service packs and security fixes as originally installed.

4. Install SUS in the same directory.

5. Run NT Backup to restore your most recent backup. Include the SUS content directory, the IIS site containing the SUSAdmin and AutoUpdate virtual directories, and the IIS metabase backup on the server running SUS.

Testing Content for SUS Implementation

There are two methods for testing content:

• In a test lab, set up both a test Windows Server 2003 SUS server and a client computer running either Windows 2000 Professional with SP3 installed or Windows XP with SP1. Both clients already have the Automatic Updates client software installed. Set up the client computer to download and install your approved updates from your SUS server.

• Using your browser, connect the test client computer to the Windows Update site and apply the patches you want to test on the client. The Windows Update site is located at http://windowsupdate.microsoft.com.