All the current Windows operating systems include a Windows Update client, which you can configure to connect to the Microsoft Update servers on the Internet at regular intervals, download the latest operating system updates,
and install them, all without user intervention. However, in a network
environment, Windows Update has several limitations in its default
configuration, including the following:
-
Client configuration In a network environment, configuring
and activating the Windows Update client on each individual computer is
a time- and labor-intensive task. The larger the network, the longer
and more difficult the task. -
Bandwidth utilization When each computer on the network performs its own separate downloads from the Microsoft Update servers, as shown in Figure 1,
your Internet connection can become saturated with multiple downloads
of the same files. This can consume a great deal of bandwidth and slow
down other processes, especially when large updates, such as service
packs, are involved.
-
Update evaluation
You can configure
the Windows Update client to download updates and wait for a user to
install them, but the decision of whether to install a specific update
is then out of the hands of the network administrator. In this default
configuration, the only way to regain control would be to travel to each
computer and manually install the updates.
Fortunately, Windows SBS 2011 includes tools that address all these problems.
1. Windows Server Update Services
Windows Server Update Services (WSUS) is a Windows Server 2008 R2
role that enables network administrators to deploy what is essentially a
Microsoft Update server on their local networks. WSUS downloads all the
latest updates from the Microsoft Update servers on the Internet, and
then the clients on the network download their updates from the WSUS
server.
To use WSUS with Windows Server 2008, an administrator must download
the WSUS product, install it on a server, configure it to download
updates, approve the updates for deployment, and configure the clients
on the network to use WSUS. Beginning with the Windows Server 2008 R2
release, WSUS is incorporated into the operating system as a role. In
Windows SBS 2011, the setup program performs all the installation and
configuration tasks automatically. Your Windows SBS server then becomes a
WSUS server, in addition to performing its other roles.
Note
Windows SBS 2011 uses the simplest possible WSUS architecture, which
consists of a single WSUS server that provides updates for all the
network clients. However, it is also possible to create more complex
WSUS installations for larger networks, in which one WSUS server
functions as the source for other WSUS servers.
When you use WSUS to deploy updates, instead of each computer
downloading the same files from the Internet independently, only the
WSUS server uses the Internet connection, as shown in Figure 2.
The WSUS server downloads a copy of each selected update and saves it
in a local data store, making it available for access by all the
computers on the network. Because the WSUS server has to download only
one copy of each update, the amount of Internet bandwidth consumed by
the update process
is reduced drastically. WSUS also provides administrators with the
opportunity to research, evaluate, and test updates before deploying
them to the network clients.
By incorporating WSUS into its default installation, Windows SBS 2011
completes many of the configuration tasks that Windows Server 2008 R2
administrators must perform manually. When the Windows SBS installation
is finished, the WSUS server is ready to download a catalog of updates
from the Internet, a process called synchronization.
WSUS then automatically approves certain updates for distribution,
downloads them, and prepares to deploy them to the clients on the
network. You can also modify the default behavior of WSUS using the
Windows SBS Console or the Update
Services snap-in for the Microsoft Management Console (MMC). For
example, If you want to evaluate or test updates before deploying them,
you can configure WSUS to perform the downloads and store them until an
administrator approves them for distribution.
2. Group Policy and Windows Update
WSUS addresses the problems of bandwidth utilization and update evaluation, but not the client
configuration problem. WSUS provides a service that clients can use,
but it does not configure the clients to use it. To do this, Windows SBS
2011 uses Group Policy settings to configure the Windows Update client on network workstations.
Note
During the server installation,
the Windows SBS 2011 setup program creates three Update Services Group
Policy objects (GPOs). These GPOs contain settings that configure the
Windows Update clients on all the network’s servers and workstations to
request updates from the WSUS server instead of from the Microsoft
Update servers on the Internet.
3. Understanding the WSUS Default Settings
WSUS is essentially a web application that uses a Microsoft SQL
Server database to store information about the updates that it downloads
from the Internet. The Windows SBS 2011 setup program creates a website
for WSUS and installs the Windows
Internal Database feature, which is a limited version of SQL Server
included with Windows Server 2008 R2. Clients connect to the server
using a Uniform
Resource Locator (URL) specified in their Group Policy settings and
download all the updates that are approved for their use.
WSUS is a highly configurable application. When you deploy WSUS on a
server running Windows Server 2008 R2, you have to install a role and
then install the Windows
Server Update Services Configuration Wizard. These two procedures
enable you to configure a variety of parameters, including what database
to use, where to store the update files, what products and operating
systems to update, and when to synchronize with the Microsoft Update
servers.
Note
Prior to Windows Server 2008 R2, WSUS was a standalone free product
that you had to obtain from the Microsoft Download Center and install
manually. The standalone version, now known as WSUS 3.0 SP2, is still
available for download.
Windows SBS 2011 configures all these options for you, though. Once
the installation is completed, the server automatically synchronizes
with the Microsoft Update servers, approves new updates, and deploys
them to clients. You can reconfigure WSUS to conform to your
organization’s timetable and other needs, but first you must become
familiar with the application’s default settings:
-
Synchronization
The setup program configures WSUS to synchronize with the Microsoft Update servers daily at 10 P.M. -
Products By default, WSUS
synchronizes updates for all the products that it supports, including
server and workstation operating systems; server applications, such as
Microsoft Exchange Server and SQL Server; and productivity applications,
such as Microsoft Office. -
Classifications WSUS
synchronizes, by default, all critical updates, definition updates,
security updates, service packs, and update rollups. It does not
synchronize drivers; feature packs; tools; or noncritical, nonsecurity
updates. -
Languages WSUS synchronizes only updates in the language that you specified when installing Windows SBS 2011. -
Approvals By
default, WSUS automatically approves all security, critical, and
definition updates for servers. For clients, WSUS approves all security,
critical, and definition updates, plus service packs. -
Storage WSUS downloads only the approved updates and stores them, in CAB format, in the C:\WSUS\WsusContent folder by default. -
Server updates
Servers download
the latest updates from the WSUS server and inform the administrator
that they are ready to install. An administrator must install them
manually using the Windows Update Control panel. -
Client updates
Clients connect to the WSUS server and download the latest updates for
their respective operating systems, and then install them automatically
each day at 3 A.M. If necessary, the Windows Update client restarts the
computer when the update installations finish.
There is almost nothing you have to do to use WSUS in its default
configuration. The server synchronizes itself, approves the most
important updates, and downloads them. As you add clients to the
network, they receive the Group Policy settings from the server that
configures their Windows Update clients, causing the computers to
download and install new updates as they become available.
4. Installing Server Updates Manually
The main WSUS-related task that administrators have to perform on a
regular basis is to install updates on the servers manually. By default,
servers receive Group Policy settings that configure the Windows Update
client to download updates from the WSUS server, but not to install
them. There are several reasons for this arrangement.
The servers in a Windows SBS 2011 installation are critical to the
operation of the network, and administrators should exercise more care
in the maintenance of servers than they do with the maintenance of
workstations. Although Microsoft tests updates before releasing them to
the public, updates still can cause problems. Windows SBS 2011
administrators should evaluate each update intended for the servers by
reading the documentation associated with it and then deciding whether
to install it. You might also want to test an update on another computer
before installing it on your production server or wait to see if other users experience any issues.
Another important factor is that many updates require a system
restart before they take effect. The default Windows Update
configuration permits client workstations to restart themselves if an
update requires it. However, this action is not recommended for a server,
which might be in the middle of a system backup or other important
operation. WSUS therefore requires administrators to install manually
any updates that WSUS supplies to them using the following procedure:
-
Log on to a Windows SBS 2011 server, using an account with network Administrator privileges. -
Click Start, then click Control panel. The Control Panel window appears. -
Click System security and then click Windows UPDATE. The Windows Update Control panel appears. -
In the Install updates for your computer
box, click the hyperlink specifying the number of updates available for
your computer. The Select Updates To Install window appears. -
Clear the check boxes for the updates that you do not want to install. Then click OK. The Windows Update window reappears. -
Click Install updates. The Control panel displays the progress as the system installs the updates.
When the installation is finished, the Windows Update window
indicates the outcome of the installation and specifies which updates
failed to install, if any. -
Click Restart now if the system prompts you to do so. The server restarts.
|