none
Content folder share and ntfs permissions

    Question

  • I'm moving the wsus content folder to a network file server.

     

    The share permissions should be: Read and Change to WSUS Computer Account (and to the user performing the "wsusutil movecontent" command, until the moving it's done).

    What NTFS permissions should I set? Read and Write to the WSUS Computer Account?

     

    Bye


    Dario Palermo
    Saturday, May 07, 2011 12:39 AM

Answers

  • There is a note in the technet article I linked in my second post:

    It is not necessary to use a DFS share with an NLB cluster. You can use a standard network share, and you can ensure redundancy by storing updates on a RAID controller.

    That statement is technically inaccurate.

    Technical realities:

    • The Background Intelligent Transfer Service (BITS) runs in the context of the NETWORK SERVICE account. The NETWORK SERVICE account does not possess the requisite authority to write to the \WSUSContent folder existing on a network share (even assuming it can *SEE* the network share!)
    • The Update Services service runs in the context of the SYSTEM account. The SYSTEM account does not possess the requisiite authority to read from the \WSUSContent folder existing on a network share (even assuming it can *SEE* the network share!).

    Now, I will grant that you can hack the ACLs for the resource on a share and make them readable by the SYSTEM account and writable by the NETWORK SERVICE account -- and as long as you're not intimidated by travelling down the road of "unsupported territory", then if having ~\WSUSContent on a network share is really that important --- by all means, have at it!


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, May 19, 2011 12:37 AM

All replies

  • I'm moving the wsus content folder to a network file server.
    This configuration is not supported.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, May 09, 2011 8:54 PM
  • I went down that road after reading:

     

    http://technet.microsoft.com/en-us/library/cc708533%28WS.10%29.aspx

     

    They're talking about putting the content folder on a DFS or a network share...

     

    Bye


    Dario Palermo
    Tuesday, May 10, 2011 6:16 AM
  • They're talking about putting the content folder on a DFS or a network share...

    They should also note that the use of a DFS share is only supported in a Network Load Balancing (NLB) scenario.

    i.e. if you only have one WSUS server, the content store must be local.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Tuesday, May 10, 2011 6:57 PM
  • Sorry Lawrence... I still don't get it completely...


    What's the difference from the WSUS server point of view? It's in the web config of the web site? Maybe is there a way to manual configure the registry and/or some config files and have a single server with content folder on a network share...

    Anyway... I could set up a single node NLB cluster to do the job... right? It would be also "ready for expansion" and for future porting of WSUS role to other servers.

     

    PS

    In a clustered scenario, what NTFS permission should I give to the folder? Read and write for all the node's computer accounts?

     

    PPS

    Thanks for your support.

     

    Bye


    Dario Palermo
    Tuesday, May 10, 2011 7:18 PM
  • What's the difference from the WSUS server point of view?

    Technically speaking, probably nothing, although Distributed File Services (DFS) are designed to provide a common filestore to multiple users (in this case, nodes of a WSUS NLB cluster). My point, though, is not about technological feasibility -- there are dozens of 'modifications' and 'customizations' that can be done to a WSUS server, and they will work.

    My point was about *supported*. If you configure a DFS share and point a single-node WSUS server to that DFS share, and then have need to contact Microsoft PSS/CSS because something doesn't work -- they're going to tell you to put the content back on the local machine and call them back once the environment is in a "supported" configuration.

    If that's a limitation you're willing to work within -- then experiment to your heart's content. :-)

    Whether the DFS share on a single system will work, long term, is unknown, because "unsupported" also means *UNTESTED*.

    In a clustered scenario, what NTFS permission should I give to the folder? Read and write for all the node's computer accounts?
    The setup requirements for NLB clusters and DFS shares are documented in the appendix of the Deployment Guide. I've never had occasion to set up a WSUS NLB cluster, so I'm not personally familiar with any of the procedures or configuration requirements.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, May 12, 2011 8:16 PM
  • Calling Microsoft support? Never had, never will... I hope! :)

    I feel to take a shot at this solution. Maybe share the results with others, I saw on the web I'm not the only one interested in having a remote content folder...

    PS

    I'm thinking, at least for nor, about using a simple share folder and not at a DFS share... they say in that document about NLB deployment that they are both usable.


    Dario Palermo
    Sunday, May 15, 2011 1:03 AM
  • 'm thinking, at least for nor, about using a simple share folder and not at a DFS share... they say in that document about NLB deployment that they are both usable.

    A DFS share with a single-front end node will work . . . but is merely unsupported by PSS.

    A NETWORK SHARE will not work. Period. The resources on the WSUS server that need to write to that folder will not have the necessary permissions to write to a network share, and the writes (thus the content downloads) will fail.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Wednesday, May 18, 2011 10:31 PM
  • There is a note in the technet article I linked in my second post:

    It is not necessary to use a DFS share with an NLB cluster. You can use a standard network share, and you can ensure redundancy by storing updates on a RAID controller.

    Exactly what I would do, but you're telling me that I cannot use a standard network share...

    After my first try, I'd say you're right, but it's not easy to ignore technet :/

    Did I get it wrong?

    Bye


    Dario Palermo
    Wednesday, May 18, 2011 10:37 PM
  • There is a note in the technet article I linked in my second post:

    It is not necessary to use a DFS share with an NLB cluster. You can use a standard network share, and you can ensure redundancy by storing updates on a RAID controller.

    That statement is technically inaccurate.

    Technical realities:

    • The Background Intelligent Transfer Service (BITS) runs in the context of the NETWORK SERVICE account. The NETWORK SERVICE account does not possess the requisite authority to write to the \WSUSContent folder existing on a network share (even assuming it can *SEE* the network share!)
    • The Update Services service runs in the context of the SYSTEM account. The SYSTEM account does not possess the requisiite authority to read from the \WSUSContent folder existing on a network share (even assuming it can *SEE* the network share!).

    Now, I will grant that you can hack the ACLs for the resource on a share and make them readable by the SYSTEM account and writable by the NETWORK SERVICE account -- and as long as you're not intimidated by travelling down the road of "unsupported territory", then if having ~\WSUSContent on a network share is really that important --- by all means, have at it!


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, May 19, 2011 12:37 AM
  • Mr. Gavin,

    We have a scenario that necessitates a high available WSUS solution. Installation and configuration appears to be in order, however, I am receiving the HTTP Error 500.19.

    Module: IIS Web Core

    Notification: BeginRequest

    Handler: Not yet determined

    Error code: 0x80070005

    Config error states: Cannot read configuration file due to insufficient permissions

    Config File \\?\UNC\DFSServer\WSUS\web.config

    Requested URL http://localhost:8530/Content

    Physical Path \\DFSServer\WSUS [DFS share is on a failover cluster]

    Logon Method Not yet determined

    Logon User Not yet determined

    I am using a domain account which has suffificient NTFS permissions as per the guide. When I attempt to browse the virtual directory, I'm met with said error. I used process monitor and indeed I see a "Access Denied" when the IIS worker process is attempting to CreateFile on path \\DFSServer\WSUS\web.config. web.config does not currently exist in this directory. I am at a loss as I have attempted to add what I believe are the necessary NTFS permissions to the root of the share.

    There are two virtual directories in WSUS Administration: /Selfupdate (shows a local physical path) and /Content (shows \\DFSServer\WSUS).

    ...Help!

    Wednesday, September 05, 2012 5:51 PM
  • We have a scenario that necessitates a high available WSUS solution.

    Setting aside my personal disbelief that such a scenario truly does exist.... :-)

    Installation and configuration appears to be in order, however, I am receiving the HTTP Error 500.19.

    When I attempt to browse the virtual directory, I'm met with said error. I used process monitor and indeed I see a "Access Denied" when the IIS worker process is attempting to CreateFile on path \\DFSServer\WSUS\web.config. web.config does not currently exist in this directory. I am at a loss as I have attempted to add what I believe are the necessary NTFS permissions to the root of the share.

    We've actually seen this error code in this forum one other time -- last September -- so let's start with the solution from that thread:

    http://www.system-center.me/miscellaneous/http-error-500-19-internal-server-error-after-installing-wsus-x64

    The original thread, which may be helpful as background, is found at

    http://social.technet.microsoft.com/Forums/en-US/winserverwsus/thread/995ff7c6-efba-443c-b9f8-64122dc232d9


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Thursday, September 06, 2012 2:09 AM