locked
WSUS replica server - How to clean up RRS feed

  • Question

  • I have a WSUS server with a few replica servers. 

    I have cleaned up the Upstream but the downstream servers are controlled by the upstream and will not allow the cleanup wizard to run.  I can try to run the cleanup via powershell but I get an access denied error.  I'm not sure why the WSUS Cleanup Wizard does not also run on downstream servers as a process after the parent's cleanup. This seems to be a design error.  There should be an option to kick off the cleanup on the downstream servers or at least truncate the stored updates. 

    Can this process be explained?

    Thanks!

    Monday, November 27, 2017 8:11 PM

Answers

  • I figured out the solution and it was simple but not so obvious...

    The solution was to add my account to the WSUS Administrators group. 
    This allowed the "greyed out" Server Cleanup Wizard to become enabled on the replica servers. 
    I only looked at it as I was trying the same action with powershell commands and getting access denied. 

    One would have thought Microsoft would automatically add permissions for the installer of the feature when installing and configuring the WSUS Server and downstream/replica servers but they did not.  The same account  could run the WSUS Server Cleanup Wizard on the Parent/Upsteam server without being a member of the WSUS Administrator's group.

    Hope this helps someone.

    • Marked as answer by Tony00000001 Wednesday, November 29, 2017 2:51 PM
    Wednesday, November 29, 2017 2:51 PM

All replies

  • Run my script on all WSUS servers - upstream and downstream :)

    BTW, it's generally recommended to run server cleanup wizard on downstream systems first, but if you use my script on all systems, you don't need to worry about that ever again :)

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Proposed as answer by Elton_Ji Wednesday, November 29, 2017 9:43 AM
    Monday, November 27, 2017 8:58 PM
  • Hi,

    >>I have cleaned up the Upstream but the downstream servers are controlled by the upstream and will not allow the cleanup wizard to run. 

     

    "Incorrectly running cleanup on any upstream server prior to running cleanup on every downstream server can cause a mismatch between the data that is present in upstream databases and downstream databases. The data mismatch can lead to synchronization failures between the upstream and downstream servers."

    https://technet.microsoft.com/en-us/library/dd939856%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 28, 2017 8:41 AM
  • I figured out the solution and it was simple but not so obvious...

    The solution was to add my account to the WSUS Administrators group. 
    This allowed the "greyed out" Server Cleanup Wizard to become enabled on the replica servers. 
    I only looked at it as I was trying the same action with powershell commands and getting access denied. 

    One would have thought Microsoft would automatically add permissions for the installer of the feature when installing and configuring the WSUS Server and downstream/replica servers but they did not.  The same account  could run the WSUS Server Cleanup Wizard on the Parent/Upsteam server without being a member of the WSUS Administrator's group.

    Hope this helps someone.

    • Marked as answer by Tony00000001 Wednesday, November 29, 2017 2:51 PM
    Wednesday, November 29, 2017 2:51 PM