none
Reducing WSUS tiers

    Question

  • Hello, we have 4 tier WSUS structure in replica mode. The top tier only has one server from where we approve updates. Lets call it Server1

    The 2nd tier has only one server, lets call it server2.1 reporting to Server1

    The third tier servers lets call them Server3.1 and Server3.2 both report to Server Server2.1

    There are six servers reporting to Server3.1 and two servers reporting to server 3.2

    Microsoft did not suggest creating any more than 3 layers. When all this was setup, that bit was not given a thought. I think, because of this 4 layers, reporting and synching became a problem later down the track.

    On top server called Server1, under Reporting Rollup, Roll up status from replica downstream servers is slected.

    Question: If I bring Server3.1 and Server3.2 in line with the 2nd tier to sit along side Server2.1 and make their parent server Server1 (which is the case for Server2.1), will it break my system in anyway?...my guess is No, but I still need to be sure from the experts out here.

    Thanks


    Shahidul

    Thursday, March 06, 2014 2:59 AM

Answers

  • Hello, we have 4 tier WSUS structure in replica mode. The top tier only has one server from where we approve updates. Lets call it Server1

    The 2nd tier has only one server, lets call it server2.1 reporting to Server1

    So my first response is that you need to eliminate one of these tiers. Period. There is *NO* value in having a single server replicate from another single server, and in this case it's causing you to have a multi-layer replication heirarchy that exceeds the maximum recommended by Microsoft.

    The third tier servers lets call them Server3.1 and Server3.2 both report to Server Server2.1

    They should simply report to Server1 and Server2 should go away.

    There are six servers reporting to Server3.1 and two servers reporting to server 3.2

    In which case I would argue whether you even need Server 3.1 and Server 3.2. These EIGHT servers should sync directly with Server1 and simplify the entire heirarchy.

    Microsoft did not suggest creating any more than 3 layers.

    Exactly, and with only EIGHT leaf-node servers, you don't need more than TWO layers.
    I think, because of this 4 layers, reporting and synching became a problem later down the track.

    Absolutely!

    Question: If I bring Server3.1 and Server3.2 in line with the 2nd tier to sit along side Server2.1 and make their parent server Server1 (which is the case for Server2.1), will it break my system in anyway?

    Nope. But as noted, you should make that tier go bye-bye too. You only need two tiers in this environment.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, March 07, 2014 3:45 AM
  • If I make them 3 layers or as you suggested 2, I still get to keep the geographical placement of each clients along with the WSUS server. In the new 2 or 3 layer scenario all thats changing is how these WSUS servers sync, that is their parent server will change to talk to the top most layer and thats it, and approval, patch dispatch scenario remains the same.

    Exactly.

    And the benefit you'll see is that the update approvals and files will likely arrive on the leaf-node WSUS servers much faster, which gets the clients patched a day (or possibly two) sooner.

    Also, in terms of considering load on a WSUS server, consider that a WSUS downstream server is equivalent to a few clients, depending on the number of operating systems being serviced.

    A single WSUS server can support tens of thousands of clients (in fact, in a lab scenario several years ago, Microsoft load-tested 100k clients on a single WSUS server), so a load of 11 downstream servers is trivial.

    I suppose the only change will be that these 11 servers all will use internal network to download approved patches from Server1, utilising same bandwidth 11 times from 11 different network etc...is that correct?

    That is correct, but for a typical monthly patch cycle (NOT including Definition Updates), you'll find that the actual quantity of bits transferred is not that significant.

    You could put a reverse proxy server on the perimeter of the corporate network, and reduce that to one transfer across the LAN (albeit still 11 across the WAN). 


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, March 07, 2014 10:05 PM

All replies

  • Hello, we have 4 tier WSUS structure in replica mode. The top tier only has one server from where we approve updates. Lets call it Server1

    The 2nd tier has only one server, lets call it server2.1 reporting to Server1

    So my first response is that you need to eliminate one of these tiers. Period. There is *NO* value in having a single server replicate from another single server, and in this case it's causing you to have a multi-layer replication heirarchy that exceeds the maximum recommended by Microsoft.

    The third tier servers lets call them Server3.1 and Server3.2 both report to Server Server2.1

    They should simply report to Server1 and Server2 should go away.

    There are six servers reporting to Server3.1 and two servers reporting to server 3.2

    In which case I would argue whether you even need Server 3.1 and Server 3.2. These EIGHT servers should sync directly with Server1 and simplify the entire heirarchy.

    Microsoft did not suggest creating any more than 3 layers.

    Exactly, and with only EIGHT leaf-node servers, you don't need more than TWO layers.
    I think, because of this 4 layers, reporting and synching became a problem later down the track.

    Absolutely!

    Question: If I bring Server3.1 and Server3.2 in line with the 2nd tier to sit along side Server2.1 and make their parent server Server1 (which is the case for Server2.1), will it break my system in anyway?

    Nope. But as noted, you should make that tier go bye-bye too. You only need two tiers in this environment.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, March 07, 2014 3:45 AM
  • The new structure of total 12 servers have been placed geographically to serve local clients. Previously we used to have only two WSUS server that practically would keep the whole network at these 12 places busy for 2/3 days during patch release time. With this structure and physically targetting local clients to local WSUS server we have overcome that. Server1 is in a more controlled domain, and Server 2.1 and the rest in a more relaxed domain. This was purely a design issue keeping security etc in mind. But these two are physically in the same data center.

    If I make them 3 layers or as you suggested 2, I still get to keep the geographical placement of each clients along with the WSUS server. In the new 2 or 3 layer scenario all thats changing is how these WSUS servers sync, that is their parent server will change to talk to the top most layer and thats it, and approval, patch dispatch scenario remains the same.

    I suppose the only change will be that these 11 servers all will use internal network to download approved patches from Server1, utilising same bandwidth 11 times from 11 different network etc...is that correct?


    Shahidul

    Friday, March 07, 2014 5:24 AM
  • If I make them 3 layers or as you suggested 2, I still get to keep the geographical placement of each clients along with the WSUS server. In the new 2 or 3 layer scenario all thats changing is how these WSUS servers sync, that is their parent server will change to talk to the top most layer and thats it, and approval, patch dispatch scenario remains the same.

    Exactly.

    And the benefit you'll see is that the update approvals and files will likely arrive on the leaf-node WSUS servers much faster, which gets the clients patched a day (or possibly two) sooner.

    Also, in terms of considering load on a WSUS server, consider that a WSUS downstream server is equivalent to a few clients, depending on the number of operating systems being serviced.

    A single WSUS server can support tens of thousands of clients (in fact, in a lab scenario several years ago, Microsoft load-tested 100k clients on a single WSUS server), so a load of 11 downstream servers is trivial.

    I suppose the only change will be that these 11 servers all will use internal network to download approved patches from Server1, utilising same bandwidth 11 times from 11 different network etc...is that correct?

    That is correct, but for a typical monthly patch cycle (NOT including Definition Updates), you'll find that the actual quantity of bits transferred is not that significant.

    You could put a reverse proxy server on the perimeter of the corporate network, and reduce that to one transfer across the LAN (albeit still 11 across the WAN). 


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, March 07, 2014 10:05 PM