locked
Relocate WSUS to new domain RRS feed

  • Question

  • Am looking for advice for moving a WSUS server to a different domain. We have a full SQL back-end with approximately 1,200 customer systems (multiple customers) assigned to WSUS for updates/reporting. We need to move this server to a new domain to retire the old nearly unused domain it resides in. I am fairly certain that the WSUS pieces would take everything in stride, but I am not so sure about the database.

    I will entertain all advice. Do I need to back up the database and reinstall SQL/WSUS and restore the database after the move? (Regardless, I will back up the database first)

    Thanks,

    Mike

    Wednesday, May 9, 2018 9:30 PM

All replies

  • Hi,

    You could refer to this link:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/680a4087-b3e8-40aa-b05e-f38523a425df/migrate-wsus-server-to-new-domain-and-new-server?forum=winserverwsus


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 10, 2018 2:22 AM
  • That doesn't answer my question. We wish to migrate the whole server to a new domain. IP and server name will not change. Can it be done? Or do I need to recreate in the new environment with a new IP, replicate the database, swap the IPs so the new server has the original IP.

    We must use the existing IP to allow us to continue to reuse the existing IPSEC Tunnels. Else we will need to change more than 200 tunnels.

    Thanks.

    Friday, May 11, 2018 5:09 PM
  • It's a complete waste of time to migrate WSUS.. You can't do it anyway (You can but it's not worth it) due to the way SQL works, you would have to go through the whole process of fixing the DB.. which is just not worth the time.. 

    You would be better off creating a new WSUS box, use the newest version of windows server to do it.. 

    Use a different IP, and different Hostname, add it to the new domain.. 

    set it up, 

    Go to Group policy and change the WSUS policy to update the new server name.. 

    download the update, etc.. and the desktops on Group policy refresh will automatically start to populate on the new WSUS server.. 

    I have been down this road. 
    It's easier to just start from scratch, and it's not terribly time consuming either as everything, if this was done right to begin with, should take a few hours tops.. 


    Rob


    Friday, May 11, 2018 5:14 PM
  • It's a complete waste of time to migrate WSUS.. You can't do it anyway (You can but it's not worth it) due to the way SQL works, you would have to go through the whole process of fixing the DB.. which is just not worth the time.. 

    You would be better off creating a new WSUS box, use the newest version of windows server to do it.. 

    Use a different IP, and different Hostname, add it to the new domain.. 

    set it up, 

    Go to Group policy and change the WSUS policy to update the new server name.. 

    download the update, etc.. and the desktops on Group policy refresh will automatically start to populate on the new WSUS server.. 

    I have been down this road. 
    It's easier to just start from scratch, and it's not terribly time consuming either as everything, if this was done right to begin with, should take a few hours tops.. 


    Rob


    This is not true.

    Setup new box in new domain, new ip, new location (with whatever SQL back end you want - WID or full blown local or remote). Set it up as a downstream replica of the old location's server. Let the 2 sync. Once all synced, change the new WSUS Server to sync directly from Microsoft, promoting this to an Upstream server. Turn off the old server and migrate the SSL Cert (if you have that enabled - hopefully you do; and if you don't, you should to prevent MITM attacks), change the IP of the new server to match the old (or if you're using DNS just update DNS with the new IP assuming it's a public FQDN), so that your clients systems don't need to change any settings (again, assuming port 8530/8531).

    All client machines will populate as the WU services check for updates on the now new machine.

    It is very simple and will retain all approvals.

    Also, if you haven't heard of WAM, WAM your new server (and your old before doing this so that you only bring over what is needed).

    A new version of WAM will be released June 1st so watch for it :)

    Please have a look at the WSUS Automated Maintenance (WAM) system. It is an automated maintenance system for WSUS, the last system you'll ever need to maintain WSUS!

    https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Saturday, May 12, 2018 4:27 AM
  • It is true.. it's an enormous pain to do it.. you are better off just starting from scratch.. For the amount of time it takes to do it, and when issues occur which there will be, you would be better off just building a clean new box and doing it.. It takes me less than 4 hours to spin up a new WSUS system with all the clients, policy, etc.. In the past i always used to migrate them, but it takes more time, and usually something ends up jacked.. 

    to each their own.. 

    I would have just suggested not reinventing the wheel here. 


    Rob

    Wednesday, May 30, 2018 4:54 PM