locked
WSUS and SCCM 2012 RRS feed

  • Question

  • Hi,

    I currently have WSUS 3 SP2 running on a Windows 2008 server in my domain and all works great.  I am going to be installing SCCM 2012 this year and I've read different things about WSUS and SCCM and wasn't quite sure what the best practice was for the two of them.  Hopefully someone can answer the following questions:

    Should I leave my WSUS installation on the seperate server alone or should I put WSUS on the same server as SCCM?  If so will I have to re-setup my WSUS database?

    Will I need to do anything with my domain GP about updates?

    Will I need to reselect which updates are downloaded, approved?

    Thanks,

    Nick

    Friday, June 8, 2012 11:42 PM

Answers

  • Hi,

    if you have WSUS in place and are implementing ConfigMgr, one of the decisions you will need to make is to retain WSUS or totally displace it.
    Don't try to re-use an existing WSUS for ConfigMgr - it won't work. ConfigMgr performs a complete mind control on WSUS and you cannot interfere with it without disrupting ConfigMgr.

    So, you can choose to (a) implement ConfigMgr without it's SoftwareUpdateManagement features and keep your WSUS in place, and manage 2 systems, or, (b) forego WSUS and implement ConfigMgr with its SUM feature/role (which is basically an internal instance of WSUS that is extended by ConfigMgr)

    For (b), your existing WSUS db, products, classifications, groups, lists, approvals, content, etc will all become obsolete and of no value. You must reconstruct all that in the ConfigMgr way.
    You must also remove your domain GPO that set WSUS server names/addresses, since ConfigMgr needs to take control of the WUagent on your client pc's and it will malfunction and complain bitterly if you don't let it do so.


    Don



    • Edited by DonPick Saturday, June 9, 2012 7:47 AM
    • Marked as answer by Clarence Zhang Wednesday, June 20, 2012 2:27 AM
    Saturday, June 9, 2012 7:44 AM
  • Is it possible to have the SCCM databases and the WSUS databases on the same SQL Server instance?

    Yep. It's something that needs a certain level of comptence with SQL to do, and assumes you have the relevant SQL licensing (e.g. some ConfigMgr license sets under CM2007 included SQL technology but from memory there were some limits on what you could use that SQL for. I haven't looked into the lineup for CM2012 too deep, since we are a bigger shop and use the top'o'the'line SKU's anyway).

    Suggest you dig deeply into the CM forums for scenarios where migration from WSUS to CM/SUM is discussed.
    It's not difficult but a good outcome will result from a carefully planned approach (as in most things :)


    Don

    Friday, June 15, 2012 7:54 AM

All replies

  • Hi,

    if you have WSUS in place and are implementing ConfigMgr, one of the decisions you will need to make is to retain WSUS or totally displace it.
    Don't try to re-use an existing WSUS for ConfigMgr - it won't work. ConfigMgr performs a complete mind control on WSUS and you cannot interfere with it without disrupting ConfigMgr.

    So, you can choose to (a) implement ConfigMgr without it's SoftwareUpdateManagement features and keep your WSUS in place, and manage 2 systems, or, (b) forego WSUS and implement ConfigMgr with its SUM feature/role (which is basically an internal instance of WSUS that is extended by ConfigMgr)

    For (b), your existing WSUS db, products, classifications, groups, lists, approvals, content, etc will all become obsolete and of no value. You must reconstruct all that in the ConfigMgr way.
    You must also remove your domain GPO that set WSUS server names/addresses, since ConfigMgr needs to take control of the WUagent on your client pc's and it will malfunction and complain bitterly if you don't let it do so.


    Don



    • Edited by DonPick Saturday, June 9, 2012 7:47 AM
    • Marked as answer by Clarence Zhang Wednesday, June 20, 2012 2:27 AM
    Saturday, June 9, 2012 7:44 AM
  • Hi,

    According to the SCCM2012 technet documentation, if you need to support more than 25,000 clients, you should run your WSUS\SUP on a sepearate server from your site server, in addition, you should not have any other site systems installed on this WSUS\SUP server, eg. MPs, DPs.

    http://technet.microsoft.com/en-us/library/gg712696

    “Up to 100,000 clients when WSUS 3.0 SP2 runs on the software update point computer and the software update point does not co-exist with another site system role.”

    The question I have is, if we follow this advice above and have a dedicated WSUS\SUP server, should I point WSUS to create a DB on my remote primary site sql server, which will be SQL 2008 R2, or is it better to use an internal DB locally on the WSYS\SUP server?

    thanks

    Sunday, June 10, 2012 6:37 AM
  • The question I have is, if we follow this advice above and have a dedicated WSUS\SUP server, should I point WSUS to create a DB on my remote primary site sql server, which will be SQL 2008 R2, or is it better to use an internal DB locally on the WSYS\SUP server?

    Hi, this ConfigMgr setup question is best directed to the dedicated ConfigMgr2012 setup forum,
    (http://social.technet.microsoft.com/Forums/en-US/configmanagerdeployment/threads) but I would first refer you to the WSUS TN library page:
    http://technet.microsoft.com/en-us/library/dd939812(v=ws.10)

    I would suggest that if you are intending to implement a dedicated WSUS/SUP, then use the default WID for WSUS db and avoid the potential complications of an off-box SQL for WSUS.


    Don


    • Edited by DonPick Sunday, June 10, 2012 10:03 AM
    Sunday, June 10, 2012 10:02 AM
  • Hi Don,

    Thanks for the information.  I wasn't quite sure what to do with my WSUS server but now it seems that the best thing would be to get rid of it and setup the SUM feature of SCCM 2012.  I guess I will have to document my WSUS groups and classifcations, etc. and then try and recreate them or their equivalent in SCCM. My group lists aren't to complicated so rebuilding that won't be too bad.

    Is it possible to have the SCCM databases and the WSUS databases on the same SQL Server instance?  I'm thinking I will setup SCCM first and then once I have that up and working, turn off my WSUS server, remove the update policies in my domain GOP and then setup the SUM feature in SCCM.

    Nick

    Tuesday, June 12, 2012 11:24 PM
  • I have similar scenario, the only difference is

    I have current SCCM 2007 and separate WSUS Server and will have to migrate to SCCM 2012.

    Currently Updates are done by WSUS Server and not by SCCM.   For an organization of this size doing updates with SCCM will be additional burden.

    The question/problem is because the server is not an SUP, I do not get reports of status of updates.

    My thoughts are... Make it a SUP, keep the same scenario i.e. Updates via WSUS and as both use same engine (Windows Update Agent), and then one should be able to get reports on status of updates as scanning will be done by SCCM.

    Need a feedback, if anyone has tried this scenario? or opinions if this will work?

    Thanks

    Dilip

    Thursday, June 14, 2012 2:01 PM
  • Is it possible to have the SCCM databases and the WSUS databases on the same SQL Server instance?

    Yep. It's something that needs a certain level of comptence with SQL to do, and assumes you have the relevant SQL licensing (e.g. some ConfigMgr license sets under CM2007 included SQL technology but from memory there were some limits on what you could use that SQL for. I haven't looked into the lineup for CM2012 too deep, since we are a bigger shop and use the top'o'the'line SKU's anyway).

    Suggest you dig deeply into the CM forums for scenarios where migration from WSUS to CM/SUM is discussed.
    It's not difficult but a good outcome will result from a carefully planned approach (as in most things :)


    Don

    Friday, June 15, 2012 7:54 AM
  • I have current SCCM 2007 and separate WSUS Server and will have to migrate to SCCM 2012.

    Currently Updates are done by WSUS Server and not by SCCM.   For an organization of this size doing updates with SCCM will be additional burden.

    CM2012 provides a lot more automation particularly around auto-approval/deploy so it's not such a difference between auto-pilot WSUS any more.
    CM/SUM isn't a burden if you are doing phased released and testing/piloting anyway.

    Don

    Friday, June 15, 2012 7:57 AM
  • My thoughts are... Make it a SUP, keep the same scenario i.e. Updates via WSUS and as both use same engine (Windows Update Agent), and then one should be able to get reports on status of updates as scanning will be done by SCCM.

    @Dilip - I haven't tried this, but you might be able to configure and use the SU client agent and have it never deploy anything.
    Since the SUP and SUM would need to be fully configured to get the scan/detect happening and push the status messages back to MP for reporting, you would maybe have some careful configuration to avoid conflicting WUagent settings.
    Perhaps if you went completely against all the MS advice, and managed the SUP instance of WSUS directly, it might work. As long as you never do any SUM deployments...

    I'm still not sure the reporting will be reliable.

    Suggest you ask in the CM/SUM forum, maybe somebody there has tried what you propose?


    Don

    Friday, June 15, 2012 8:03 AM
  • Hi I read this and from what I've seen you do use WSUS.  When I look at the ROLES on our Primary it asks you which WSUS server you want to point too.   Also, I don't see any SUM role...... I do see a Software Update Point role....is that what you meant?  

    // ConfigMgr with its SUM feature/role //


    mqh7

    Monday, April 1, 2013 9:11 PM
  • Hi I read this and from what I've seen you do use WSUS.  When I look at the ROLES on our Primary it asks you which WSUS server you want to point too.   Also, I don't see any SUM role...... I do see a Software Update Point role....is that what you meant?  

    // ConfigMgr with its SUM feature/role //

    SUM = Software Update Management (the broad grouping of features/components)
    SUP = Software Update Point (the specific feature/role which exploits/controls WSUS)

    Things have also changed a bit with the release of SP1 for CM12, there are new options available for implementing/configuring, like tiered WSUS and multiple active SUP's, etc.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Tuesday, April 2, 2013 7:12 AM
  • We have 1 central site and 2 primary sites.  On our Central site we have the following roles defined

     

    component server, reporting service point, site database server, site server, site system, software update point.

     

    I then tried to Add a New Role.  I only see 3 available roles to choose from.

    Asset intelligence synchronization point, endpoint protection point and system health validator point

     

    So I don't see any Software Update Management role.  I looked on our 2 primary sites and it is not there nor is it an option to add.

    Why would it be missing on all of our servers?  What did we fail to install?

    Thanks.  


    mqh7

    Tuesday, April 2, 2013 2:16 PM
  • We have 1 central site and 2 primary sites.  On our Central site we have the following roles defined

    component server, reporting service point, site database server, site server, site system, software update point.

    I then tried to Add a New Role.  I only see 3 available roles to choose from.

    Asset intelligence synchronization point, endpoint protection point and system health validator point

    So I don't see any Software Update Management role.  I looked on our 2 primary sites and it is not there nor is it an option to add.

    Why would it be missing on all of our servers?  What did we fail to install?

    SUM is not a role you can install. SUM is the label/name given to the capability/method/approach.
    For CM, SUP is the role which you are looking for.
    For help with setting up/configuring ConfigMgr, I recommend you ask in the CM forums for your CM version (CM07 or CM12).
    CM07: http://social.technet.microsoft.com/Forums/en-US/category/configurationmanager 
    CM12: http://social.technet.microsoft.com/Forums/en-US/category/systemcenter2012configurationmanager



    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Tuesday, April 2, 2013 8:27 PM
  • Hi I read this and from what I've seen you do use WSUS.  When I look at the ROLES on our Primary it asks you which WSUS server you want to point too.   Also, I don't see any SUM role...... I do see a Software Update Point role....is that what you meant?  

    // ConfigMgr with its SUM feature/role //

    The OP already had WSUS, and then installed CM. In this scenario, it's recommended to forget the old WSUS server and build a fresh one for your SUP. Don't try to re-use or dual-purpose the WSUS as your SUP.
    CM only uses the WSUS for a couple of things, and the previous configurations on WSUS will only complicate things for SUP.
    I'm not saying that CM doesn't use/require WSUS - I'm just saying that you should not re-use an old WSUS for your SUP.

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Tuesday, April 2, 2013 8:33 PM
    • Proposed as answer by mqh7 Tuesday, April 2, 2013 9:28 PM
    Tuesday, April 2, 2013 8:32 PM