locked
How Many Replica WSUS Server Can Be Created Under 1 WSUS Up-Streaming Server 2016 RRS feed

  • Question

  • Hi Team,

    We have Windows systems scattered in 5 regions.

    Country 1             7000 Systems

    Country 2             700 Systems

    Country 3             4800

    Country 4            6000

    Country 5            2000

    We are trying to plan the WSUS environment.

    Environment:

    Server - Windows Server 2008, 2012 & 2016 (Approx 4500 servers)

    Desktop - Windows 7/8.1/10 (Approx 16,000 clients)

    SQL - Server 2012R2 Express

    WSUS Setup:

    WSUS Central server has 5 Upstream Servers, Each Upstream server has max 10 downstream servers

    All servers are in replica mode of WSUS Central.

    We are planning to setup a Upstream Server in Country 1 and one Replica Servers.

    For the rest of the countries Keeping 2 Replica servers for each country, I mean Country 2,3,4,5.

    To Provide High availability we are using the F5 Load Balancer GTM, so that wsus clients can connect the nearest WSUS server.

    Please review and suggest about this design. would like to understand having 9 Replica servers is okay or we will face any issues. 


    Ravi Ch

    Friday, February 9, 2018 10:06 AM

Answers

  • That should work as there's only 2 levels. 1 Upstream, to several Downstream on level 2, none in level 3.

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by CHIGURUSETTI Wednesday, March 21, 2018 6:05 AM
    Monday, February 12, 2018 6:11 PM

All replies

  • Hello,

    It's not better using SQL Express there is a limitation OF SQL Express. Please Use SQL Std or WID DB.

    Anyway please follow below guidance to Configure to your Downstream Servers.

    https://technet.microsoft.com/es-es/library/cc720448%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment

    Friday, February 9, 2018 11:11 AM
  • Hi Udara,

    Thanks for your reply.. 

    I have already gone through above articles, there is note saying, "Do not go more than three levels deep when setting up WSUS in a hierarchical model. Exceeding three levels may cause significant lag times between updates and synchronization. When looking at your network layout, keep this limitation in mind."

    Exceeding three levels means, a Single WSUS upstream server should not have more than three replica WSUS servers? is my understanding on above statement is correct! can you suggest.

    As I have reading through articles, we can configure Max 1000 Replica WSUS servers for an single Upstream server. Ref Link.

    Can someone help is it okay to configuring 10 Replica server for Single upstream server. 



    Ravi Ch

    Friday, February 9, 2018 1:25 PM
  • Hi Udara,

    Thanks for your reply.. 

    I have already gone through above articles, there is note saying, "Do not go more than three levels deep when setting up WSUS in a hierarchical model. Exceeding three levels may cause significant lag times between updates and synchronization. When looking at your network layout, keep this limitation in mind."

    Exceeding three levels means, a Single WSUS upstream server should not have more than three replica WSUS servers? is my understanding on above statement is correct! can you suggest.

    As I have reading through articles, we can configure Max 1000 Replica WSUS servers for an single Upstream server. Ref Link.

    Can someone help is it okay to configuring 10 Replica server for Single upstream server. 



    Ravi Ch

    3 levels is central upstream (1) > downstream (2) > downstream (3) > clients

    There shouldn't be a problem with configuring 10 replica servers for a single upstream system.

    As for the maintenance of all your WSUS Servers, check out WAM

    Please have a look at the WSUS Automated Maintenance (WAM) system. It is an automated maintenance system for WSUS, the last system you'll ever need to maintain WSUS!

    https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT


    • Edited by AJTek.caMVP Friday, February 9, 2018 1:56 PM clarification
    Friday, February 9, 2018 1:55 PM
  • Hi Adam,

    Thanks for your reply.

    We would like to plan the wsus environment as below using the F5 Load Balancer, please review and suggest on this design.

    For the Up-Stream servers we are configure them as a stand alone ones and using the F5 VIP to create high-availability in case one is done. is this okay!!

    And also :

    I am sorry I might repeating the same question on the hierarchy Levels for wsus. does it mean, if we configure as below, it will create complications.

    WSUS Hierarchy Levels

    • Edited by CHIGURUSETTI Sunday, February 11, 2018 6:59 PM to append the content.
    Sunday, February 11, 2018 6:52 PM
  • Hi,

    >>Exceeding three levels means, a Single WSUS upstream server should not have more than three replica WSUS servers?

    Yes, the above scenario is the meaning of  "level"  .

    In your case , it is a two level WSUS configuration .

     

    But , I'm not sure if F5 will work with WSUS network load balancing (Please build a lab "two upstream server " and "two downstream server" to test it ) .

    As for WSUS , there is existing NLB solution :

    https://blogs.technet.microsoft.com/wsus/2014/03/22/configuring-wsus-6-x-for-network-load-balancing-nlb/

    Hope it is useful to you .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Elton_Ji Monday, February 12, 2018 2:44 AM
    Monday, February 12, 2018 2:43 AM
  • Hi Team,

    Sorry to bother you once again.. is below design will work or there are any complications.

    We will have only one Up-Stream server, remaining all Replica Servers. it's not chained, only Up-Stream Server will download the patches, remaining servers will connect this server as replica WSUS server.

    WSUS


    Ravi Ch

    Monday, February 12, 2018 10:26 AM
  • That should work as there's only 2 levels. 1 Upstream, to several Downstream on level 2, none in level 3.

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by CHIGURUSETTI Wednesday, March 21, 2018 6:05 AM
    Monday, February 12, 2018 6:11 PM
  • Just a quick question.

    can the level 2 servers in this be in different locations. Reason is I am a network background and one of the servers guys here says you cannot have more than 4 WSUS servers.

    He is looking to create sharded DMZs at our sites and then IPSEC back to a central location. From what I have read here is that you can have loads of level 2 WSUS servers but I am wondering if they can be spread across various sites with different IPs. The clients would then connect to the level 2 servers locally.

    so in the above drawing each of those green replica servers be in a different physical location with a different IP address.

    thanks in advance

    Monday, March 11, 2019 12:41 AM
  • Yes, they don't have to physically be in the same location. The levels deep relate to how many levels of downstream servers there are. From what I understand, what you're proposing would work fine. Central would be upstream, DMZ would be downstream, and each other location would have a 3rd level Downstream server.

    Just make sure you maintain them. Here's part 8 of my blog series that deals with the maintenance.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-8-wsus-server-maintenance/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Monday, March 11, 2019 12:58 AM