none
Can I use the same database for two WSUS servers?

    Question

  • Hi Folks,

    Our HQ WSUS database is on a dedicated SQL Server 2008 in HQ. We are planning to set up a replica WSUS server in a branch office (centralized management mode). But we want to check the WSUS reports (e.g. computer/update status) only from the HQ instead of each branch. I have two questions.

    1. I should not install the SQL Server in Branch, and specify the HQ SQL Server as the Branch WSUS server database, right? In this case, I can check WSUS reports of both HQ and Branch from HQ, right?
    2. Can I use a specific update source (e.g. Microsoft Update or other WSUS upsteam servers) for Branch WSUS server instead of HQ WSUS server even it's a replica WSUS server?

    Thanks,
    高麻雀


    • Edited by 高麻雀 Wednesday, December 25, 2013 3:43 AM
    Monday, December 23, 2013 11:27 AM

Answers

  • I should not install the SQL Server in Branch, and specify the HQ SQL Server as the Branch WSUS server database, right?

    Absolutely not! Each WSUS server requires it's own unique database instance. For the replica server you should use the default Windows Internal Database option.

    Can I use a specific update source (e.g. Microsoft Update or other WSUS upsteam servers) for Branch WSUS server instead of HQ WSUS server even it's a replica WSUS server?

    If the branch office server is intended to be a replica server, then it must be configured with the HQ WSUS server as the update source.

    So, to the question you're asking... how to get centralized reporting: After installing the replica server in the branch office, on the upstream server enable the option for Reporting Rollup. That's it. Now you have centralized reporting.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Monday, December 23, 2013 5:19 PM
    Moderator
  • Regarding to "If the branch office server is intended to be a replica server, then it must be configured with the HQ WSUS server as the update source", does it mean my branch WSUS server is only able to get the patches from my HQ WSUS server?

    That is the fundamental premise of a downstream replica server.

    Isn't it able to get the patches from Microsoft Update or other WSUS servers?

    Well, here we may have a terminology challenge... so let me take a step back and answer this way:

    • A WSUS server obtains *updates* via the process of synchronization. Updates can be synchronized from one of two sources: Microsoft, or an Upstream WSUS Server.
    • Additionally, updates have a concept of APPROVAL. Approvals can be obtained from an Upstream WSUS Server when the server is configured as a REPLICA server; otherwise, Approvals are created at each individual WSUS server.
    • Finally, updates have FILES. Files can be obtained from Microsoft or the Upstream WSUS server, and this configuration option is absolutely independent of where the updates and/or approvals come from.

    Please note: All of this is exhaustively documented and discussed in the WSUS Deployment Guide. I would highly recommend reading it cover-to-cover.

    In this case, there will a a lot of bandwith cost on the leased line which is only 2Mbps and intended for critical business like VDI/ERP applications.

    A few thoughts here...

    • First a 2Mb/sec link is more than adequate to support a WSUS server downloading update files from an Upstream WSUS Server.
    • Second, using BITS you can configure when those files are transferred as well as how much of that 2Mb/sec is made available to the WSUS downstream server.
    • Third... Patch Management IS a critical business function. Do not let it be treated as a step-child or the VDI/ERP functionally will be irrelevant.
    "after installing the replica server in the branch office, on the upstream server enable the option for Reporting Rollup", will the report information (computer/update status) be recorded in the HQ SQL Server?

    The detail reporting data for the clients of the downstream replica servers is physically stored in the upstream server's database.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Tuesday, December 31, 2013 1:20 AM
    Moderator

All replies

  • I should not install the SQL Server in Branch, and specify the HQ SQL Server as the Branch WSUS server database, right?

    Absolutely not! Each WSUS server requires it's own unique database instance. For the replica server you should use the default Windows Internal Database option.

    Can I use a specific update source (e.g. Microsoft Update or other WSUS upsteam servers) for Branch WSUS server instead of HQ WSUS server even it's a replica WSUS server?

    If the branch office server is intended to be a replica server, then it must be configured with the HQ WSUS server as the update source.

    So, to the question you're asking... how to get centralized reporting: After installing the replica server in the branch office, on the upstream server enable the option for Reporting Rollup. That's it. Now you have centralized reporting.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Monday, December 23, 2013 5:19 PM
    Moderator
  • Thank you Lawrence. Regarding to your explainations, I have two questions.

    1. Regarding to "If the branch office server is intended to be a replica server, then it must be configured with the HQ WSUS server as the update source", does it mean my branch WSUS server is only able to get the patches from my HQ WSUS server? Isn't it able to get the patches from Microsoft Update or other WSUS servers? In this case, there will a a lot of bandwith cost on the leased line which is only 2Mbps and intended for critical business like VDI/ERP applications.
    2. Regarding to the centralized reporting, actually we are not using the WSUS integrated reporting component, we are using a database analysis tool to poll out the data from our HQ SQL Server and then generate a custom report based on web. So may questions is, "after installing the replica server in the branch office, on the upstream server enable the option for Reporting Rollup", will the report information (computer/update status) be recorded in the HQ SQL Server? Or the master WSUS just reads the replica WSUS database while generating the reports by using the WSUS integrated reporting component?

    Thanks,
    高麻雀


    • Edited by 高麻雀 Monday, December 30, 2013 9:04 AM
    Wednesday, December 25, 2013 3:40 AM
  • Hi Lawrence,

    Would you help me again please. Thank you very much.

    Regards,
    高麻雀

    Monday, December 30, 2013 9:04 AM
  • Regarding to "If the branch office server is intended to be a replica server, then it must be configured with the HQ WSUS server as the update source", does it mean my branch WSUS server is only able to get the patches from my HQ WSUS server?

    That is the fundamental premise of a downstream replica server.

    Isn't it able to get the patches from Microsoft Update or other WSUS servers?

    Well, here we may have a terminology challenge... so let me take a step back and answer this way:

    • A WSUS server obtains *updates* via the process of synchronization. Updates can be synchronized from one of two sources: Microsoft, or an Upstream WSUS Server.
    • Additionally, updates have a concept of APPROVAL. Approvals can be obtained from an Upstream WSUS Server when the server is configured as a REPLICA server; otherwise, Approvals are created at each individual WSUS server.
    • Finally, updates have FILES. Files can be obtained from Microsoft or the Upstream WSUS server, and this configuration option is absolutely independent of where the updates and/or approvals come from.

    Please note: All of this is exhaustively documented and discussed in the WSUS Deployment Guide. I would highly recommend reading it cover-to-cover.

    In this case, there will a a lot of bandwith cost on the leased line which is only 2Mbps and intended for critical business like VDI/ERP applications.

    A few thoughts here...

    • First a 2Mb/sec link is more than adequate to support a WSUS server downloading update files from an Upstream WSUS Server.
    • Second, using BITS you can configure when those files are transferred as well as how much of that 2Mb/sec is made available to the WSUS downstream server.
    • Third... Patch Management IS a critical business function. Do not let it be treated as a step-child or the VDI/ERP functionally will be irrelevant.
    "after installing the replica server in the branch office, on the upstream server enable the option for Reporting Rollup", will the report information (computer/update status) be recorded in the HQ SQL Server?

    The detail reporting data for the clients of the downstream replica servers is physically stored in the upstream server's database.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Tuesday, December 31, 2013 1:20 AM
    Moderator
  • Hi Lawrence,

    Firstly, thank you very much for your helps in details. I'm sorry that I didn't use the correct words to describe my questions because my English is pool. Actually I have only one question, I want the WSUS3 to have the centralized reporting in HQ but get the update files from WSUS4 or Internet in HQ (from WSUS4 would be preferred). The update metadata, approval information, computer groups can get from HQ. In additional, in the HQ, the WSUS1 gets update files from WSUS2, which get the update files from Microsoft Update.

    I'm sorry that the previous diagram is not full. Please reference the below updated diagram. In additional, the screenshots of the settings of WSUS1, WSUS2, WSUS3 are attached for reference.

    Thanks again!

    高麻雀


    • Edited by 高麻雀 Tuesday, February 25, 2014 2:57 AM
    Monday, February 24, 2014 11:37 AM
  • I want the WSUS3 to have the centralized reporting in HQ but get the update files from WSUS4 or Internet in HQ (from WSUS4 would be preferred).

    I'm very confused about which machines and locations you're referring to, and it doesn't really matter what version of WSUS is involved anyway.

    The requirement is this simple: The Upstream Server (the one that synchronizes with Microsoft and provides updates/approvals to the Replica Servers) is the Reporting server for a multi-server replica heirarchy. A replica server only knows about it's own local clients, it knows nothing about the rest of the enterprise, so it cannot be a reporting server.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Thursday, February 27, 2014 4:39 AM
    Moderator
  • Hi Lawrence,

    Thank you very much for your continuous helps! I got your point regarding to the WSUS reporting feature. The WSUS master server (upsteam server) is always the reporting server for a multi-server replica heirarchy. We can only check the reports of all the replica servers (downstream servers) from the master server (upsteam server).

    In my scenario,

    • WSUS1 is in HQ but have no Internet access. Workstations get updates from WSUS1.
    • WSUS2 is in HQ and have the Internet access. WSUS1 get the update metadata and update files from WSUS1.
    • WSUS3 is in Branch but have no Internet access. WSUS3 is the replica server of the WSUS2, and get the approval information from WSUS2. WSUS3 was just set up and is being configured.
    • WSUS4 is in Branch and have the Internet access. We are setting up WSUS4.

    It will be good that WSUS3 can get the update files from WSUS4. Because,

    • We don't want the traffic of WSUS update files to pass from HQ to Branch through the MPLS which is only 2Mbps.
    • WSUS3 does not have Internet access.

    If the WSUS3 cannot get the update files from WSUS4, getting update files from Microsoft Update for the WSUS3 is acceptable as a workaround. We are able to enable the Internet access for WSUS3 but we have to follow an EXTREMELY long process for the Internet access approval.

    Thanks,
    高麻雀
    • Edited by 高麻雀 Monday, March 03, 2014 7:55 AM
    Monday, March 03, 2014 7:54 AM
  • WSUS2 is in HQ and have the Internet access. WSUS1 get the update metadata and update files from WSUS1.

    I think you mean that WSUS1 gets update metadata and files from WSUS2.
    WSUS3 is in Branch but have no Internet access. WSUS3 is the replica server of the WSUS2, and get the approval information from WSUS2.
    Noted.

    WSUS4 is in Branch and have the Internet access. We are setting up WSUS4.

    It will be good that WSUS3 can get the update files from WSUS4.

    We don't want the traffic of WSUS update files to pass from HQ to Branch through the MPLS which is only 2Mbps.

    As I've already pointed out, 2Mbps of bandwidth is exponentialy more than is needed to support a WSUS server, and the WSUS server will only use AVAILABLE/UNUSED bandwidth if properly configured. I'm not really seeing a valid justification for adding a third level of heirarchy just to avoid using bandwidth on a 2Mbps MPLS connection.

    WSUS3 does not have Internet access.

    Which means you really only have two choices:

    • Either it gets approvals/files from WSUS2 (the upstream server), or
    • It gets approvals/files from WSUS4 (a downstream server).

    If the WSUS3 cannot get the update files from WSUS4, getting update files from Microsoft Update for the WSUS3 is acceptable as a workaround.

    Getting files from Microsoft is always an available option regardless of where a machine is in the hierarchy. Getting the approvals from the upstream server is highly preferable to getting them from a downstream server.
    We are able to enable the Internet access for WSUS3 but we have to follow an EXTREMELY long process for the Internet access approval.

    So, again, I think you're excessively overreacting to the bandwidth consumption on your 2Mbps MPLS WAN link, but if that's the road you choose to follow, getting the approvals from WSUS2 and files from Microsoft will always be preferable to creating a third level in the hierarchy (i.e. getting approvals and files from WSUS4).


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, March 07, 2014 2:09 AM
    Moderator
  • Hi Lawrence,

    Thank you very much for your kind helps all the time. As per my understanding based on your replys, may I understand you points like the following?

    • If I want reporting in HQ, I must configure the Branch WSUS3 as the replica server of the HQ WSUS1, which gets update metadata/files from HQ WSUS2 that has Internet access.
    • In this case, WSUS3 is not able to get the files from WSUS4, but only able to get the files from either WSUS1 or Microsoft. If I don't want the files to pass throught the WAN link, I have to enable the Internet access for WSUS3. Please check the screenshots of WSUS3 in the below.
    • The 2Mbps WAN link is managed by the networking team, who doesn't approval the WSUS update files to pass throught this link. You mentioned that the WSUS server will only use AVAILABLE/UNUSED bandwidth if properly configured. So the questions by the way, is this based on BITS service by default without any manual configurations, or I have to enable some options in the WSUS server?

    Thanks again!
    高麻雀


    • Edited by 高麻雀 Monday, March 10, 2014 5:01 AM
    Monday, March 10, 2014 2:41 AM
  • The 2Mbps WAN link is managed by the networking team, who doesn't approval the WSUS update files to pass throught this link.

    Hmmmm.. that sounds like a policy/education issue for Executive IT Management to address. I'm baffled at the thought that the networking team has the authority to approve/disapprove the transmission of operationally critical content ... again, we're talking about a TWO MEGABIT link, not a 256kb link!

    You mentioned that the WSUS server will only use AVAILABLE/UNUSED bandwidth if properly configured. So the questions by the way, is this based on BITS service by default without any manual configurations, or I have to enable some options in the WSUS server?

    The default behavior of BITS is to only use available bandwidth -- but this calculation is based on the available bandwidth at the **NIC**, and not at upstream connections. This can be particularly problematic if the machine has a Gigabit NIC installed, but a low-to-medium speed WAN connection (e.g. a 2Mbit/sec MPLS circuit). If you want to configure a WSUS server to use a percentage of the available WAN link, that will need to be explicitly configured on the WSUS server. This can be done via local policy or group policy.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Monday, March 10, 2014 6:01 PM
    Moderator
  • Hi Lawrence,

    Thank you very much. So I have to apply the Internet access for WSUS3 so that it can download the update files from Microsoft Update because WSUS3 is not able to get the files from WSUS4 which has Internet access. In the meanwhile, I will also check how to configrue the WSUS server to restrict the percentage of WAN link usage, and then discuss with networking team if WSUS3 can get the update files from WSUS1 in the feature.

    Thanks again, Lawrence. You can a kind expert.

    Best Regards,
    高麻雀

    Tuesday, March 11, 2014 3:25 AM