Difference with info between downstream server and upstream server WSUS 6.3 RRS feed

  • Question

  • 1 upstream server, 5 downstream servers

    Fairly new to WSUS here. I walked into a role with an already established WSUS setup. Things seem to be working as designed:

    Client side targetting

    WSUS Downstream server at each site

    The issue I am seeing here is a difference in status for clients when looking at them from the upstream console verses looking at the same computer group from the console at the site itself (downstream server).


    Upstream System console

    Computer Group "Site A" shows 500 workstations, 200 of which show as 100% done concerning patching and compliance.

    Downstream System Site A Console

    Computer Group "Site A" shows 500 workstations, 20 of which show as 100% done concerning patching and compliance.

    We also see issues with clients that show a status of 99% done. When we check the "updates needed" against these 99'ers we see anywhere from 1 to as much as 30-40 updates that are "not approved". When we check this update against the Upstream system its approved. 

    We have Synchronizations running daily on all downstream systems, disabled on upstream. I've since removed and added the WSUS role, server reset, server cleanup, and so on with the Downstream Site A system. 

    Any ideas would be appreciated.  

    Tuesday, July 24, 2018 5:49 PM

All replies

  • I would suggest taking a read through my blog on how to setup, manage, and maintain WSUS.


    While this doesn't show you how to work with downstream servers, assuming they are downstream replicas (not downstream autonomous), they literally replicate what is going on with the upstream. Are you performing the proper maintenance routines on ALL YOUR WSUS Servers in the proper order, including SQL maintenance, declining superseded updates, the Server Cleanup Wizard (SCW) and more?


    If not, you should be doing it from the bottom up (downstream in tiers and eventually to upstream).

    Also, don't forget, WSUS is a PULL system, therefore EVERYTHING with it is slow, including reporting. To give an example..

    The client requests updates from downstream 1. Downstream 1 provides the updates but client1 doesn't restart for 32 hours. After the restart, the client is NOT connected to the network, so it cannot provide updates to the downstream system. Another 24 hours goes by and now the client has reconnected (come back into the office) and communicates to the Dowstream 1 server that it has installed the updates and is reported in. Downstream1 now will show the proper report, but Downstream 1 only syncs with the Upstream server once a day at ~3AM so that's another 18 hours from when the client informed the Dowstream 1 system. At 3 AM the WSUS upstream and Downstream sync, and the reports should now be in sync.

    That's 74 hours after the 'installation' of the updates for the report status to reach the upstream system.

    Adam Marshall, MCSE: Security
    Microsoft MVP - Windows and Devices for IT

    Wednesday, July 25, 2018 12:49 AM
  • Hello WillPinkman,


    At first, let us confirm the mode your downstream server running in, autonomous or replica?


    If in autonomous mode, downstream server would not synchronize the approval status, you should approve the updates in downstream server.


    If in replica mode, downstream server would inherit the approval status after finishing a synchronization. 


    Best Regards,

    Ray Jia

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 25, 2018 1:00 AM