none
Using Windows Authentication with WSUS on Server 2008

    Pregunta

  • On a Windows Server 2008 Standard OS, I would like to implement WSUS for a small organization, using the simplest possible configuration for WSUS. While looking at the procedure for installation of the service, I saw that one of Roles for the server would be IIS with a security service for "Windows Authentication". The description of this service in Server Manager includes the following sentence: "This authentication scheme allows administrators in a Windows domain to take advantage of the domain infrastructure for authenticating users."

    My question, therefore, is whether having a Windows domain is required for implementing WSUS or can it be implemented in a workgroup only environment? I can add that in this particular situation there would be no authentication of users needing to occur in any case because only the administrator himself would be making use of the service on these machines.

    Also, would WSUS also work for systems installed in virtual machines? Thanks you.

    domingo, 12 de mayo de 2013 16:09

Respuestas

  • Hi

    Q1:

    based on this article there is no need to install WSUS on Domain so you install it on your server (without domain) and configure your clients to communicate with this new Update Server.

    Q2:

    all clients (if configure them properly) can communicate with WSUS whether virtual or physical

    domingo, 12 de mayo de 2013 17:29

Todas las respuestas

  • Hi

    Q1:

    based on this article there is no need to install WSUS on Domain so you install it on your server (without domain) and configure your clients to communicate with this new Update Server.

    Q2:

    all clients (if configure them properly) can communicate with WSUS whether virtual or physical

    domingo, 12 de mayo de 2013 17:29
  • Hi, Pavam.

    In reading the article referenced by you, I see this part of it near the end:

    "Any computer that runs the WSUS Administration Console must also have all of the following software installed:

    • At least The Microsoft .NET Framework 2.0
    • At least Microsoft Management Console 3.0
    • At least Microsoft Report Viewer Redistributable 2008

    The computer that runs the WSUS Administration Console must be in the same Active Directory domain as the WSUS server, or it must have a trust relationship with the Active Directory domain of the WSUS server."

    Therefore, I would infer that, at the very least, unless I intend to utilize the Administration Console solely on the WSUS server machine itself, I would need to use it in a Windows domain setting. In other words, I could not use a different Workgroup machine, one running Windows 7 for example, for the Administration Console. Would you not agree with this statement?

    miércoles, 22 de mayo de 2013 16:46
  • Therefore, I would infer that, at the very least, unless I intend to utilize the Administration Console solely on the WSUS server machine itself, I would need to use it in a Windows domain setting.

    That is the intended inference; however, there are two alternatives to domain membership that will work.

    The first is to use Remote Desktop to connect to the WSUS server and run the console locally via the RDC.

    In other words, I could not use a different Workgroup machine, one running Windows 7 for example, for the Administration Console.

    The second one is how to actually use this scenario. Generally not recommended because it introduces some security 'holes' in the environment, but it does work essentially using the principles of peer-to-peer workgroup file sharing that date back to the days of Win v3: If you configure an account with the same name on both systems and set the passwords to be identical, the non-domain system will authenticate the connection as a local authentication.

    One step up from that, in Windows 7 you can use Control Panel | User Accocunts to define a stored credential for the WSUS server connection, and the WSUS server will also authenticate that connection.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    jueves, 30 de mayo de 2013 0:12