Setup Offline WSUS Server 2012 R2 RRS feed

  • General discussion

  • Dear All,

    Encounter some problem during my deployment hope that anyone here can give me some pointers.

    First let me explain the whole setup. There 3 WSUS servers. 2 DB servers 1 downstream server.

    All these server don't have internet access at all. All the server is been harden due to security reason. Only Port 8530 is allow for updates.

    1. Both WSUS_DB1 and WSUS_DB2 is a cluster server. Both installation Option choose was Using WIS Database and Services.

    2. Downstream Sever (WSUS_Downstream)

    Question (Setup Layout)

    - Should the WSUS_DB1 Consider Upstream server to WSUS_DB2 has Downstream server? Using Synchronize from another Windows Server Update Services Server?

    - How to import an offline Update database into the new WSUS server database?

    - Is it a must to use SQL for the Database?

    -Where Can I download an offline Update database?

    Problem Encounter (During Setup)

    - When WSUS_Downstream is synchronize from another Windows Server Update Services server, I have selected the following "This is a replica of the upstream server" When I click next I don't seem to be able to connect. There is an error massage.

    - Missing Product Classification only Windows XP and Server 2000 only. How can I update to the latest product classification List.

    Hope that someone can give me some advise and pointer in this installation.

    Thank & Regards

    Melvin C

    • Edited by Melvin_C Monday, June 15, 2015 7:05 AM
    Monday, June 15, 2015 4:04 AM

All replies

  • Hi There

    It has been a while since you've posted that but nevertheless, let me summarise my experience with this problem so far.

    We have a regular lan with internet access, and another network completely isolated, not connected to any other networks or the internet. here the short version how we deploy updates in our disconnected network:

    prepare your regular network (setup an export server)

    1. setup a standalone wsus server in the regular network using the default values
    2. specify the products, languages and classifications that you want to download
    3. under 'update files and laugages', uncheck the option "download update files to this server only when updates are approved"
    4. Let the server synchronise and download the updates (takes up to one night and requires up to 320 GB of storage)

    then you prepare the disconnected network (setup an import server)

    1. setup a standalone wsus server but cancel the initial setup wizard. make sure it has the same amout of diskspace as the one in your regular network
    2. configure 'update files and languages', exactly the same settings as your regular wsus server.
    3. under 'update source and proxy server', leave the option at "synchronize from microsoft update"
    4. set the synchronisation schedule to 'synchronize manually'

    now to the more interessting part:
    how to get the products and update database to the disconnected server

    when you install the wsus server role, the tool 'wsusutil.exe' is installed within this path:
    C:\Program Files\Update Services\Tools\WsusUtil.exe

    Note: As we where facing issues as the cab files got too big after adding a lot of products, we had to install KB2828185 on our Win2008R2 WSUS 3.0 Servers, that allowed us to change from CAB to xml.gz files

    This tool allows you to export the metadata from your export server in the regular network:

    "C:\Program Files\Update Services\Tools\wsusutil.exe" export "%DESTINATION%\export.xml.gz" "%DESTINATION%\export.log"

    Now import the metadata on the import server

    "C:\Program Files\Update Services\Tools\wsusutil.exe" import "%SOURCE%\export.xml.gz" "%SOURCE%\export.log

    After that first synchronisation, you can now configure your products and classifications. make sure both wsus servers are configured exactly the same way, as you might get 'unable to download' messages if you configure different settings

    You are now ready to synchronize the whole wsus content (update files) and the according update-metadata. and with synchronize, i am talking about exporting everything to an usb disk, and import the whole thing on the disconnected server.

    First synchronisation takes obviously ages as all the 300 GB update files have to be copied twice, but differentials usually take around 45 minutes for export and slightly longer for imports. i do the copyjobs with an easy robocopy /mir command. i installed wsus on my D:\ drive, that now leaves me this little script:

    "C:\Program Files\Update Services\Tools\wsusutil.exe" export "%DESTINATION%\METADATA\export.xml.gz" "%DESTINATION%\METADATA\export.log"

    and then the same thing on the other side, to import the files and metadata from the disk into the import wsus server.

    be aware - it might take up to 24 hours, until the wsus mysteriously progressed the metadata and checked if his files are available. until then, many updates might show the download status of 'the file is being downloaded'.

    i hope some people might profit from this summary. feel free to improve my post.

    good luck!

    Stefan Gabriel

    Friday, October 21, 2016 4:19 PM
  • Hi Stefan,

    I think your information is wrong. You should really not import metadata before importing update files.

    See here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720512(v%3Dws.10)

    You should copy updates to the file system of the import server before you import metadata. If WSUS finds metadata for an update that is not in the file system, the WSUS console shows that the update failed to be downloaded. This type of problem can be fixed by copying the update onto the file system of the import server and then again attempting to deploy the update.

    MCITP Enterprise Administrator / Server Administrator

    Thursday, April 12, 2018 9:09 AM