Deep Dive How to Configure a Shared WSUS Database for Multiple SUPs in SCCM
ฝัง
- เผยแพร่เมื่อ 4 ก.ค. 2024
- Accompanying blog post available at setupconfigmgr.com/using-a-sh...
In this video guide, we will be covering how to use a shared WSUS database for multiple software update points in SCCM. Using a shared WSUS Database is generally considered a best practice in well-connected scenarios since this offloads the vast majority of network impact if a client were to switch SUPs in SCCM.
Topics in Video:
- Review the SCCM docs and why a WSUS shared DB is usually a good idea - • Deep Dive How to Confi...
- Review why wsyncmgr syncs are faster when using shared WSUS database - • Deep Dive How to Confi...
- Review current labs primary SUP with SQL DB, and secondary SUP using WID - • Deep Dive How to Confi...
- Enable Debug and Verbose logging to wsyncmgr.log and wcm.log - • Deep Dive How to Confi...
- Review how the WSUS_Configuration_Manager tread reads all available SUPs at startup and how it determines if it's using a shared WSUS database - • Deep Dive How to Confi...
- Review wsyncmgr.log for multiple SUPs in a non shared WSUS Database - • Deep Dive How to Confi...
- Remove WID WSUS role service and add SQL WSUS role service - • Deep Dive How to Confi...
- Configure SUP-2 to use SUP-1's WSUSContent library folder for EULA/3rd-Party Update Content - • Deep Dive How to Confi...
- Run WSUSUTIL.exe postinstall to change WSUS to use the shared SQL Database and Shared WSUSContent folder - • Deep Dive How to Confi...
- Resolve IIS misconfigurations after postinstall - • Deep Dive How to Confi...
Add "\\" to the beginning of Physical path in IIS Content virtual directly
- Change Authentication for Anonymous Authentication to use WSUS Application Pool Identity instead of local IUSR account
- Start WSUS_Configuration_Manager and validate it updates SUP-2 configuration in the active SUP list to be a shared WSUS database - • Deep Dive How to Confi...
- Publish a third-party update to get a WSUS catalog change and run a SUP sync to review how the sync is now treated as a single SUP sync - • Deep Dive How to Confi...
Setup shared WSUS database in a new clean WSUS installation on a new SUP rather than converting an existing SUP to a shared WSUS database - • Deep Dive How to Confi...
Commands and Notes:
- Powershell command to see WSUS installed role services: Get-WindowsFeature -Name UpdateServices*
- Powershell command to remove WSUS WidDB: Remove-WindowsFeature -Name UpdateServices-WidDB
- Powershell command to install WSUS SQL Database Connectivity: Install-WindowsFeature -Name UpdateServices-DB
- WsusUtil command: WsusUtil.exe postinstall SQL_INSTANCE_NAME="SCUP.CONTOSO.LOCAL" CONTENT_DIR="\\SCCM3-DPMPSUP-1.CONTOSO.LOCAL\WSUS"
SQL_INSTANCE_NAME and CONTENT_DIR should be changed to for your environment details
Helpful Resources:
- Great blog post version of using a shared WSUS Database - blogs.technet.microsoft.com/c...
- Manually switch clients to a new software update point - docs.microsoft.com/en-us/sccm...
- Use a shared WSUS database for software update points (Installation Best Practices) - docs.microsoft.com/en-us/sccm...
- Managing WSUS from the Command Line - docs.microsoft.com/de-de/secu... - วิทยาศาสตร์และเทคโนโลยี
Really appreciate the effort which you have put in for the community. Really liking the entire series.
Thanks for watching!
Great video. This video shows modification from existing SUPs in SCCM environment. what if I want to create new WSUS/SUP and shared database. What all things I need to keep in mind before proceeding.
Would basically just install WSUS with shared content and Database then add the SUP role.
This is really very nice video. One question, We have setup one more SUP on our standalone primary site with shared wsus database. But now everytime the update souce in wsus options getting changed to the server itself. We need to manually change the update source to Microsoft update in wsus.
The source should be set in SCCM not WSUS
Hi,
Couple of Queries:
1. Is there any difference between schedule sync and manual sync and
2. Will a schedule sync triggers a Full sync or Delta sync?
And once again, thanks a lot for sharing your experience with us...
1. Not usually, some scheduled syncs will trigger a full-sync but not always. I believe there's some built-in criteria where it will periodically.
2. See above, you can always perform a full sync by dropping in a full.syn in the wsyncmgr.box
Thank you..
Hey Justin, solid work as usual! Quick question for you... I'm setting up IBCM at a site (They're not ready for CMG yet :( ) and setting up the SUP role on the IBCM server, but want to configure it to share their existing WSUS SQL database on the primary site server which is running on Windows Server 2012. However, the IBCM server in the DMZ is running Windows Server 2016. Will there be an issue if I install the WSUS role on the IBCM server running Windows Server 2016? Thanks in advance for the assist!
You will need to be running the same version of WSUS to share the WSUSDB in a supported way.
Thanks Justin!
This is a great video. I have a question though, only because of dealing with this recently.
I was having an issue with the WSUS Cleanup Wizard not able to start when attempted to clean unneeded update files. I banged my head against the wall for a couple days before I called Microsoft. After we looked through everything, their takeaway was that since my WSUS was connecting to a network location for the WSUS content folder, that was why I was having the problem. They told me that the WSUS Cleanup Wizard is not designed to work with the content folder on a network share of any kind, it should be local. So, giving it the benefit of the doubt, I made the change to where we store that content. As soon as I put that folder local to the WSUS server, and it synchronized, the cleanup started and worked. Have you tested to see if WSUS Cleanup Wizard works to clean up unneeded update files with this configuration? I run a non-MS script for WSUS maintenance, but it still calls the Cleanup Wizard.
Probably issues with the computer account permissions.
@@PatchMyPC I wish. I went over all of them. It's not a terribly complex environment. They out and out told me that was the case though. That it was by design, that's why I ask. By "they" I mean Microsoft, sorry to be ambiguous.
If you wanted to use SSL is there anything that would need to be done differently? Do you need to set up SSL before or after, would it matter?
Check out my PKI guide tgat covers SSL for wsus
Do we need to set SUP2 as downstream server if using Shared SUSDB and Content? Thanks for sharing!
Hey Kevin,
Is your question do you need a second SUP if you are using the same UNC and DB at the Primary SUP?
@@PatchMyPC Yup! I was able to set up second SUP using same UNC and DB. There is no DownStream in shared SUSDB..duh! LOL. Thanks for the video!
We are planning to create one more SUP role, the server is 2019 OS and primary SUP is on 2012 R2 OS. We need to use the primary SUP as upstream server to new one and share the Same database. Should both server have same OS version. If not what would be the next step
You wouldn't want to share the WSUS DB if the host services not on the same Server version.
@@PatchMyPC thank you Sir
Might be worth noting that this cannot, and should not be done, on a Secondary Site SUP/WSUS - this will cause configuration issues
What issues has it caused you?
@@PatchMyPC The Primary WSUS was being configured to synchronise from itself as an upstream server. A WSUS under a Secondary does not get discovered by the Primary as a grouped WSUS install. The Secondary configures the WSUS which in-turn sets the Upstream server to the Primary but as the DB is shared it configures all WSUS to speak to 1 internal server and never MS.
@@Stuff_Dave_Does Maybe a good idea for UserVoice configurationmanager.uservoice.com/forums/300492-ideas. I don't see any technical reason this shouldn't work.