none
cluster aware updating via WSUS

    Frage

  • I can't seem to find this information anywhere,

    I have setup a 2 node hyper-v 2012 baremetal cluster and configured it with cluster aware updating role (CAU)

    the environment is not internet facing and the updates need to come through a local WSUS server, a capability mentioned in many articles, however no guidelines on how to actually do it

    CAU is configured with the microsoft.windowsupdateplugin in self-updating mode

    I'm not sure how to point the CAU role to the local WSUS host, obviously no updates are occuring since there is no internet access to the MS update servers and WSUS cannot simply be auto-discovered

    has anyone done this or know how to make this work?  I can only assume I would have to pass on some sort of argument to the CAUpluginArguments field with the http/s link to the WSUS infrastructure but can't find the proper string

    thanks in advance,

    armin

    Freitag, 28. Dezember 2012 19:48

Antworten

  • I'm not sure how to point the CAU role to the local WSUS host, obviously no updates are occuring since there is no internet access to the MS update servers and WSUS cannot simply be auto-discovered

    You configure Cluster-Aware Updating in exactly the same way you would configure a standalone node. Use Group Policy to configure the WUAgent. 

    http://technet.microsoft.com/en-us/library/dd939933(v=ws.10).aspx

    What CAU does is coordinate the activities of the individual WUAgents on each node of a cluster, but that still requires that the nodes be configured as WSUS clients.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Als Antwort markiert armin19 Mittwoch, 2. Januar 2013 15:57
    Dienstag, 1. Januar 2013 02:18
    Moderator

Alle Antworten

  • I'm not using CAU myself, but from the documentation: http://technet.microsoft.com/en-us/library/hh847234.aspx

    it doesn't seem that it is configured any differently than any other WU implementation - just the invocation and scheduling would be under the control of CAU so as to avoid cluster unavailability?


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Freitag, 28. Dezember 2012 21:35
  • I've looked at that link as well but as you saw, nothing specific in there for pointing to another update server, the only thing that comes close is how to go through a proxy server, but that's not the issue either.

    I wish it was as easy as you say but CAU creates a virtual computer object in AD which seems to act as the "update broker" if you will for all the nodes in the cluster requiring updates, more than just invocation/scheduling.  During validation if CAU sees your local cluster nodes are configured to go through WSUS it will actually throw a flag since it sees it as a conflict.  It's noted in the best practices section that CAU should be exclusively managing patches, not WSUS/SCCM/etc. on the cluster nodes.

    I even tried to put the CAU virtual computer object in the OU where my usual WSUS policies reside but it didn't do anything since that object is not really a traditional computer object in AD, it never showed up in the WSUS console after reboots and manual update triggers from the CAU snap-in.

    Thanks anyway, let's see if anyone has this working.

    Samstag, 29. Dezember 2012 04:46
  • I'm not sure how to point the CAU role to the local WSUS host, obviously no updates are occuring since there is no internet access to the MS update servers and WSUS cannot simply be auto-discovered

    You configure Cluster-Aware Updating in exactly the same way you would configure a standalone node. Use Group Policy to configure the WUAgent. 

    http://technet.microsoft.com/en-us/library/dd939933(v=ws.10).aspx

    What CAU does is coordinate the activities of the individual WUAgents on each node of a cluster, but that still requires that the nodes be configured as WSUS clients.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Als Antwort markiert armin19 Mittwoch, 2. Januar 2013 15:57
    Dienstag, 1. Januar 2013 02:18
    Moderator
  • It's noted in the best practices section that CAU should be exclusively managing patches, not WSUS/SCCM/etc. on the cluster nodes.

    What that means is that you should not use policy to specify a scheduled installation time for the nodes, but rather allow the CAU subsystem to 'schedule' the installations.

    Regarding the configuration, this statement in the Overview may shed some light:

    To enable self-updating mode, the CAU clustered role must also be added to the failover cluster. To do this by using the CAU UI, under Cluster Actions, use the Configure Self-Updating Options action.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Dienstag, 1. Januar 2013 02:27
    Moderator
  • You're right, my default WSUS GPO which the cluster nodes were initially inheriting has a schedule for installing updates so the CAU analysis report was reporting a conflict.

    I created a new WSUS GPO with no scheduling defined and ran the CAU report and it passed this time, the update wizard also seems to work ok but I'll know for sure when new updates come out next week as they're all up to date right now.

    Thanks for your help.

    Mittwoch, 2. Januar 2013 15:56
  • For clarity, when setting up the special GPO to send the WSUS settings to the cluster, what is the best way to configure the "Configure Automatic Updates" policy?  Is it to '3 - Autodownload and notify for install' and then the CAU client on the hosts will take it from there? Or is a different option on that list better?

    The technet seems to suggest that both option 2 & 3 on that list would work, but I presume option 3 is slightly better since the updates are downloaded and ready to be installed, thus it's a bit quicker?

    Secondly, our Hyper-V cluster machines are in their own OU, and as well as the 3 machine names for the 3 machines in the cluster, there is also a 4th machine name in the same OU, a "Failover cluster virtual network name account".   Is it correct to apply the WSUS GPO to that whole OU, to all 4 machine names?

    Montag, 27. Januar 2014 10:12

  • Secondly, our Hyper-V cluster machines are in their own OU, and as well as the 3 machine names for the 3 machines in the cluster, there is also a 4th machine name in the same OU, a "Failover cluster virtual network name account".   Is it correct to apply the WSUS GPO to that whole OU, to all 4 machine names?

    Would anyone be able to help with this please?
    Dienstag, 4. Februar 2014 10:29
  • For clarity, when setting up the special GPO to send the WSUS settings to the cluster, what is the best way to configure the "Configure Automatic Updates" policy?  Is it to '3 - Autodownload and notify for install' and then the CAU client on the hosts will take it from there?

    It must be AUOption='3'. It's the only way to ensure the binaries are available for installation when CAU kicks off the update, and still not involve the configuration of a scheduled installation event.

    The technet seems to suggest that both option 2 & 3 on that list would work,

    I would be skeptical of AUOption='2'. How are the binaries going to get downloaded? If CAU tells the WUA to install updates, and the updates are not downloaded, ready for installation, nothing's going to get installed. (Unless somebody is claiming that CAU will also launch a download. However, that would unnecessarily extend the amount of time needed to patch a given node of the cluster, so certainly an undesirable configuration at best. Much better to have all files downloaded before launching the installation task.

    I'd also point out that if you're implementing CAU, there's no reason NOT to let the binaries download automatically. AUOption='2' would be used when you want to control WHEN the binaries are downloaded by launching the download interactively.

    Is it correct to apply the WSUS GPO to that whole OU, to all 4 machine names?

    The GPO is just a methodology to configure a Windows Update Agent with the desired settings. Neither the GPO, nor the WUA, care whether it's on a cluster node or not. What's correct is to configure the machine the way you want it configured.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Donnerstag, 6. Februar 2014 00:01
    Moderator
  • Thanks Lawrence, we can always rely on you to cut through the blandness of technet articles with some actual insight.
    Dienstag, 11. Februar 2014 15:09