locked
Transfer updates from online WSUS to offline WSUS RRS feed

  • Question

  • Hi everybody,

    First, sorry for my approximative english.

    I have 2 servers WSUS, one is connected to internet and get his updates from Windows servers. The second one is in offline network.

    The procedure i've applied to update my offline server is :

    • Copy folders inside WSUSContent of online server to external disk
    • Export metadata with this command : wsusutil.exe export export.xml.gz export.log (first i try a .cab extension, but size is too big)
    • Copy folders from external disk inside WSUSContent of offline server
    • Import metadata with this command : wsusutil.exe import export.xml.gz import.log

    Updates seems to be present, but this message is present on the offline server : "0,00 Mo download on 379 888,82Mo".

    I supposed the offline server doesn't know the updates are already present.

    Precisions :

    • Windows 2012 R2
    • Online update services version : 6.3.9600.16384
    • Offline update services version : 6.3.9600.16384
    • All updates are approved on the each servers
    • Clients doesn't see any updates avalaible. But in its log there are : "Found 0 updates and 75 categories in search; evaluated appl. rules of 1006 out of 2017 deployed entities" and "Reporting status event with 211 installable, 103 installed, 0 installed pending, 0 failed and 0 downloaded updates"

    Then, I think the last thing is to say to the offline server : your updates are already here !

    If you need more informations tell me.

    Thank you in advance for your help

    Wednesday, January 4, 2017 9:46 AM

Answers

  • Hi Mike.

    I have seen something similar on my offline wsus server. After importing patches with 'wsusutil import', the status page of the offline wsus-server would report there were *many* files needing downloading. I have also seen some secondary effects, where my windows 7-client would never finish scanning for new updates and 2012r2-client would be able to scan but would not see new updates.

    After spending a lot of time reading logfiles, comparing setup of servers and replicating the problems in a virtual lab I think I am closing in on the problem and have been able to create a workaround.

    I have not been able to find documentation on the import process but as far as I can tell, 'wsusutil import' only makes sure the import-files are there, it does not do any actual importing. The only time I have found an error in the import.log file was when one of the update files was damaged because of a disk-error on the usb-drive I use for transfers.

    After 'wsusutil import' is done, it hands the job over to some other process which updates the database with the wherabouts of the update files. This is where things start to get interesting, if the 'second import' does not find the update-files it is looking for, it place a request with the BITS-service to download the files from the internet. Naturally, BITS cannot locate the files it need, beeing cut off from the internet, so the BITS-jobs just hang there, waiting for a really long timeout to occur. The BITS-service will by default only keep 10 simultanous jobs, so if WSUS thinks it needs more than 10 files, the rest will be placed in an WSUS-internal queue. The problem with this process is that when if the BITS-queue fills up, the import-process stops, waiting for BITS to accept more jobs.

    To see which files BITS are looking for use the command 'bitsadmin /list /allusers /verbose'. The /verbose switch will tell you the URL of the file it looks for and where it wants to place it. It also gives you some status information.

    I have found two workarounds for this. The first, somewhat crude and not entire successful, was to make sure BITS got an answer from a web-server. By default, BITS don't even find the server it is looking for, leading to a very long timeout. By simply creating a DNS-entry for the microsoft download server and pointing to an 'empty' webserver, BITS would at least get a 404 and move on to the next file in line..

    A much better workaround was to make sure BITS could hold a queue of more than 10 jobs. There used to be a registry entry to define 'MaxSimultaneousFileDownloads' but with the current version of WSUS, that value is now held in the WSUS-database. My setup use WID (Windows internal database). To connect to and edit WID I installed SQL Server Management Studio, v16.5. I then connected to the local database using the connect string '\\.\pipe\MICROSOFT##WID\tsql\query'. I then navigated to '\SUSDB\Tables\dbo.tbConfigurationB' and changed
     'MaxSimultaneousFileDownloads' from the default 10 to 10000.

    WSUS does not pick up the new values from the database right away but an import seem to trigger a refresh.

    After doings this change both my lab-environment and my production environment were able to finish importing. The status page eventually showed that all files had finished downloading.

    The BITS-list however remains a mystery. After the import was done, BITS had some 130 jobs waiting in my lab and almost 2500 in my production environment. Downloading and checking some of these files manually only added to the mystery as they all seemed to be belong to updates that had expired and never were approved in the first place. After a day and a half, all BITS-jobs expired, disappearing from the queue.

    • Marked as answer by Mike_Doe Thursday, April 27, 2017 6:43 AM
    Monday, January 30, 2017 9:09 AM

All replies

  • Hi Mike_Doe,

    >Updates seems to be present, but this message is present on the offline server : "0,00 Mo download on 379 888,82Mo".

    According to the message, it may due to the WSUS content folder not migrate correctly. To migrate WSUS content folder, please use backup and restore tools.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 5, 2017 7:08 AM
  • Hi Anne,

    Thank you for your reply. Does it with this tutorial from technet : https://technet.microsoft.com/en-us/library/cc708579(v=ws.10).aspx ?

    I have read somewhere a simple copy is enough to do that. I test the backup tools and will come back to say if it's ok.

    Regards.

    Thursday, January 5, 2017 8:21 AM
  • Hi Mike_Doe,

    The link you provide is for WSUS 3.0, and as far as I know, ntbackup tool is removed on server 2012R2, you need to use the backup and restore method for server 2012R2.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 5, 2017 8:27 AM
  • Hi Anne,

    I don't find the same for 2k12. Just the solution at the bottom of the link i've posted which it's write from Jim : 

    Modern operating systems

    As ntbackup has been replaced in modern versions of Server, you can use robocopy from a command line to do incremental backups of your WsusContent folder without relying on third party tools. I suggest you research the following flags: /MIR /J /MT:1 /XF *.tmp /R:2 /W:30 /XC /XN /XO

    Is it a good solution or there are a include solution in Windows ?

    Thank you, regards

    Thursday, January 5, 2017 8:59 AM
  • Hi Mike_Doe,

    Just to confirm if you use backup tool to migrate WSUS server successfully?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 9, 2017 8:30 AM
  • Hi Anne

    I don't use the backup tool, but i've tried to copy with xcopy like i found in a tutorial. But it doesn't work, the server still want to download the files already presents...

    Do you mean i have to use the microsoft backup tool? I really want to have the right solution because of i spent many times with wrong solutions. Can you confirm me this procedure : 

    - Backup WSUSContent folder with Microsoft backup tool

    - Export metadata with wsusutil

    - Restore WSUSContent folder with Microsoft backup tool

    - Import metadata with wsusutil

    Thanks in advance

    Regards

    Tuesday, January 17, 2017 9:49 AM
  • Hi Mike_Doe,

    >Can you confirm me this procedure : 

    - Backup WSUSContent folder with Microsoft backup tool

    - Export metadata with wsusutil

    - Restore WSUSContent folder with Microsoft backup tool

    - Import metadata with wsusutil

    Yes, it is.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 18, 2017 9:35 AM
  • Hi Anne,

    I'm testing with this procedure, but just a question about the Offline WSUS : At the step when I choose from where it have to get its update, I keep "Synchronize from Microsoft Update" or "Synchronize from an other server" ?

    Thanks

    Regards

    Friday, January 20, 2017 4:03 PM
  • Hi Mike_Doe,

    >At the step when I choose from where it have to get its update, I keep "Synchronize from Microsoft Update" or "Synchronize from an other server" ?

    Sync from Microsoft Update, then it will be an upstream WSUS server, sync form another server, it will be a downstream WSUS server. You may choose the pervious one.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 23, 2017 8:54 AM
  • Hi Anne,

    My server is offline, then if I choose from Windows Update, in products I don't have recent products (it ends at Windows XP or Server 2003).

    From my online WSUS I choose Windows 7 and Server 2012 R2. It will be ok when I restore files and metadata ?

    Thanks in advance

    Regards

    Monday, January 23, 2017 9:23 AM
  • Hi Mike_Doe,

    Yes, just install the WSUS role correctly in Server manager first. Then have you install WSUS role in Server manager successfully?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 26, 2017 5:55 AM
  • Hello Anne, 

    Yes everything is right. Post-installation are done and i complete the configuration assistant. 

    I don't have make any synchronisation at this moment. I just want to be sure before making an other test because it takes a long time to make one. 

    Thank you, 

    Best Regards 

    Friday, January 27, 2017 1:40 PM
  • Hi Mike.

    I have seen something similar on my offline wsus server. After importing patches with 'wsusutil import', the status page of the offline wsus-server would report there were *many* files needing downloading. I have also seen some secondary effects, where my windows 7-client would never finish scanning for new updates and 2012r2-client would be able to scan but would not see new updates.

    After spending a lot of time reading logfiles, comparing setup of servers and replicating the problems in a virtual lab I think I am closing in on the problem and have been able to create a workaround.

    I have not been able to find documentation on the import process but as far as I can tell, 'wsusutil import' only makes sure the import-files are there, it does not do any actual importing. The only time I have found an error in the import.log file was when one of the update files was damaged because of a disk-error on the usb-drive I use for transfers.

    After 'wsusutil import' is done, it hands the job over to some other process which updates the database with the wherabouts of the update files. This is where things start to get interesting, if the 'second import' does not find the update-files it is looking for, it place a request with the BITS-service to download the files from the internet. Naturally, BITS cannot locate the files it need, beeing cut off from the internet, so the BITS-jobs just hang there, waiting for a really long timeout to occur. The BITS-service will by default only keep 10 simultanous jobs, so if WSUS thinks it needs more than 10 files, the rest will be placed in an WSUS-internal queue. The problem with this process is that when if the BITS-queue fills up, the import-process stops, waiting for BITS to accept more jobs.

    To see which files BITS are looking for use the command 'bitsadmin /list /allusers /verbose'. The /verbose switch will tell you the URL of the file it looks for and where it wants to place it. It also gives you some status information.

    I have found two workarounds for this. The first, somewhat crude and not entire successful, was to make sure BITS got an answer from a web-server. By default, BITS don't even find the server it is looking for, leading to a very long timeout. By simply creating a DNS-entry for the microsoft download server and pointing to an 'empty' webserver, BITS would at least get a 404 and move on to the next file in line..

    A much better workaround was to make sure BITS could hold a queue of more than 10 jobs. There used to be a registry entry to define 'MaxSimultaneousFileDownloads' but with the current version of WSUS, that value is now held in the WSUS-database. My setup use WID (Windows internal database). To connect to and edit WID I installed SQL Server Management Studio, v16.5. I then connected to the local database using the connect string '\\.\pipe\MICROSOFT##WID\tsql\query'. I then navigated to '\SUSDB\Tables\dbo.tbConfigurationB' and changed
     'MaxSimultaneousFileDownloads' from the default 10 to 10000.

    WSUS does not pick up the new values from the database right away but an import seem to trigger a refresh.

    After doings this change both my lab-environment and my production environment were able to finish importing. The status page eventually showed that all files had finished downloading.

    The BITS-list however remains a mystery. After the import was done, BITS had some 130 jobs waiting in my lab and almost 2500 in my production environment. Downloading and checking some of these files manually only added to the mystery as they all seemed to be belong to updates that had expired and never were approved in the first place. After a day and a half, all BITS-jobs expired, disappearing from the queue.

    • Marked as answer by Mike_Doe Thursday, April 27, 2017 6:43 AM
    Monday, January 30, 2017 9:09 AM
  • Hi Paco,

    Really thank you for your long explanation and the return of your experience. It's very interesting for my situation (and probably for other).

    I'll test your procedure and I'll be back to you to say if it's ok for me.

    Regards

    Mike

    Monday, January 30, 2017 10:30 PM
  • Hi Paco,

    I've tried your method and it seems the bits doesn't reload the new value for MaxSimultaneousFileDownloads. In order i did that : 

    - import files updates

    - import updates with wsusutils

    - install SSMS and edit MaxSimultaneousFileDownloads value

    - reboot server

    - import updates with wsusutils

    After, the list still with 10 downloads. Have you did something else ?

    Thank in advance

    Regards

    Tuesday, February 28, 2017 9:43 AM
  • Hi,

    After few days, bitsadmin list grows to many downloads (it works), and 2 days after the list is empty, but the WSUS still says me 0 of XXXX files need to be download.

    Is it ok with this situation ? Have you done something else ?

    Regards

    Thursday, March 9, 2017 2:01 PM
  • I *think* you did the import too soon after changing the 'MaxSimultaneousFileDownloads' value. Just repeat the import process and check bitsadmin again.

    Also, doing regular cleanups seems to speed up both import and export jobs.

    Friday, March 17, 2017 8:35 AM
  • After many days and a retry, it works.

    Thank you so much

    Thursday, April 27, 2017 6:43 AM
  • Paco: Thank you.

    Microsoft: Please hire Paco or more people like him.  It is unfortunate that we have to depend on these black boxes.  Or maybe this behavior is documented somewhere?  Ha!

    And what's with the random font size change in this web posting text entry box?  Please spend less on your text entry boxes and more time removing BITS from WSUS.  Yuck!

    Tuesday, June 5, 2018 3:16 PM
  • Paco,

    I am experiencing the same issue.  Your work around partially worked, but only partially.  WSUS started to  download the updates, but stop again.

    Does the version of the export server have to match the version of the import server (disconnected). 

    Friday, March 1, 2019 8:20 PM
  • Successful Done. I reduced the number of 'Allowed' Updates,and quickly(few hours) synchronized.!
    Friday, March 27, 2020 6:07 AM