locked
SCCM 2012 SP1 on WS2012 with SUP on separate server RRS feed

  • Question

  • Hello all.  I did some searching and I believe I found my answer, but I just wanted to be sure before I click the apply buttons.  You know how it goes...

    My SCCM 2012 setup consists of a single primary SCCM 2012 SP1 server on Server 2012.  Since we have quite a few MACs, as well as a PKI, I have enabled SSL for the site as well as the DPs.  Everything works great.

    I am now adding the SUP.  it is on a separate Server 2012 box, along with SCUP and a few other roles.

    I just want to be sure of exactly how I am supposed to configure the SUP if it is on a separate box. If I understand correctly, I simply need to configure it just like in 2007 where you install only the management console on the site server and the full WSUS on the other box, then make the WSUS the primary SUP and that's it?

    Now, I have read that I should also install the SUP role on the primary as well, and simply make it a downstream subordinate that syncs off of the primary WSUS server?  is this overkill?  The documentation in this area is severely lacking on TechNet.

    Also, can I leave my software updates configured as HTTP if the rest of my site is forced SSL?  I see no point in making WSUS transactions SSL because of the overhead.

    Thanks.

    • Moved by TorstenMMVP Monday, July 22, 2013 7:44 AM moved to Site and Client Deployment ...
    Saturday, July 20, 2013 1:56 AM

All replies

  • Hi,

    You only need to install the WSUS admin console on the primary site server, and not WSUS and make it a downstream server, the SUP on your second server will be the Active SUP in the site.

    You should be fine with letting the SUP use HTTP.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Saturday, July 20, 2013 12:45 PM
  • Thanks Jorgen.  I have still hit a snag.

    I have installed WSUS console ONLY on the primary site system.  I also set the site setting to 'synchronize with windows update'

    the sync is failing with the following message:

    Sync failed: UssNotFound: WebException: The request failed with HTTP status 404: Not Found.~~at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUSperhaps

    Perhaps I am not understanding your wording above.  You say I only need the admin console on the primary.  Done.  You then say make it a downstream server.  where do I go to set that setting?  Also, how do I ensure my WSUS server is indeed the active SUP?

    Thanks.

    Saturday, July 20, 2013 4:08 PM
  • OK I have figured it out.  For anyone later on who is looking for this information, here it is in simple form.

    Server 2012 SCCM SP1 + Server 2012 WSUS (WSUS 4) on separate boxes step by step:

    1) Install WSUS on the separate server.  Run the WSUS config wizard until you get to the Products screen.  then quit.  Reboot the box.

    3) Install the WSUS management tools ONLY on the primary server from within the RSAT list in features install area.

    4) Add the WSUS server as the SUP role in the SCCM console.  Configure the ports as 8530 and 8531 and set it as the active update point if asked

    5) Configure the SUP in the SCCM console to sync from windows update.  Go into classifications and only choose one thing, such as Critical Updates to begin with.  Also, only choose one thing like Silverlight in the products section.  Only choose one of each for now, since you have to do an initial sync to actually get the true list of all products to show up, and the less you choose the faster the sync is.

    6) On the sync tab, schedule a manual one time sync for 2 mins from now.

    7) Open the 'wsyncmgr' log in the SCCM logs folder and watch as the initial WSUS sync occurs.  When finished, go back into the SUP settings and configure all of the classifications and products you want.  schedule another full sync and whola.... all updates will now be available in the updates area.

    Just to clear the air, ALL of the above is EXACTLY the same process as it was in SCCM 2007.  I don't know why this couldn't be simply outlined in the TechNet documentation.

    • Proposed as answer by Jason_Oakes Monday, August 14, 2017 8:02 PM
    Saturday, July 20, 2013 5:57 PM