locked
WSUS server - moving from downstream autonymous to update from Microsoft RRS feed

  • Question

  • I was wondering how I could possibly transfer all my computer groups / approval rules to another enterprise WSUS server.

    At present a central in-house server is the sole recipient of all external Microsoft updates. But it would be nice to have a secondary (standby) server, but one which also had all the same (or inherited) groups etc.

    Would it be possible to build a secondary WSUS server, point it to the 'central' server and synchronise all the update, groups rules - then point it back to Microsoft for all ongoing patches. Would the groups etc be retained or will they get cleaed when a new external source is set?

    Thanks

    Wednesday, March 25, 2015 3:17 PM

Answers

  • I would look up setting up WSUS in a disconnected network. This has a method of exporting groups and approval and importing them on another WSUS server. You would need to install the "Update Services 3.0 API Samples and Tools.exe" from Microsoft. That will give you two tools, wsusmigrationexport and wsusmigrationimport which will allow you to export groups groups and approvals from one server to the other. If the first WSUS server ever went down all you should need to do is edit the GPO giving out WSUS settings to point to the name/IP of the 2nd server.

    Thursday, April 30, 2015 11:09 AM

All replies

  • Hi,

    I think what you need is described in the scenario Multiple WSUS servers

    https://technet.microsoft.com/en-us/library/cc708628%28v=ws.10%29.aspx

    As I understand this second server is a availability solution, you could as well use them both in a nlb cluster and improve availability.

    https://technet.microsoft.com/en-us/library/hh852344.aspx


    MCP/MCSA/MCTS/MCITP

    Wednesday, March 25, 2015 3:41 PM
  • Thanks - I think we are looking at the 'multiple independant WSUS servers' scenario for the desired availability, though I can't see how we can manage two sets of computer groups / approvals.

    Based on the requirement for both servers to inherit our internal list of computer groups, already resident on the first of these WSUS servers - is this the model we want?

    The alternative being the 'multiple internally synchronised WSUS servers' model, with the 'downstream' server inheriting groups from the master / internet connected server. With this scenario though what happens when we take the upstream server out of the loop and point the previous downstream server to the Microsoft site for updates? Are all computer groups lost / reset or are they retained for future use?


    Tuesday, April 7, 2015 1:04 PM
  • Hi Nick,

    essentially if you want to manage 2 WSUS servers at the same "level", then you will need the Upstream/Downstream approach to sync the groups approvals etc.

    What do you mean by "point the previous downstream server to the Microsoft site for updates?" is it that you want them to still receive the approvals from the upstream, but download the binaries from Microsoft? If that's the case that should work ok


    If you find the answer of assistance please "Vote as Helpful"and/or "Mark as Answer" where applicable. This helps others to find solutions for there issues, and recognises contributions made to the community :)

    Wednesday, April 8, 2015 7:23 AM
  • Thanks - my plan was to be able to run the second WSUS server in autonymous mode as a potential standby for the main server. As long as I could ensure that then pointing this secondary server back to the Microsoft website for updates (after receiving everything from the internal 'master'), would retain the computer groups it had been inheriting up to that point.

    Does this make sense?

    Wednesday, April 8, 2015 1:11 PM
  • Hi,

    If we run the standby WSUS server in autonomous mode,  update approval status and computer group information will not be inherited from the upstream server.

    So, we need to create the group manually. When we change the source server, the group won't be overriden.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, April 9, 2015 3:31 PM
  • So in my scenario - my standby server WILL NOT be inheriting groups from the internal upstream server?

    I thought that was by degin in order to allow localised approval of updates to groups received from upstream source.

    How can I get the upstream computer groups to relicate to the downstream standby AND retain these should I repoint to Microsoft at a later date?

    Thursday, April 30, 2015 11:01 AM
  • I would look up setting up WSUS in a disconnected network. This has a method of exporting groups and approval and importing them on another WSUS server. You would need to install the "Update Services 3.0 API Samples and Tools.exe" from Microsoft. That will give you two tools, wsusmigrationexport and wsusmigrationimport which will allow you to export groups groups and approvals from one server to the other. If the first WSUS server ever went down all you should need to do is edit the GPO giving out WSUS settings to point to the name/IP of the 2nd server.

    Thursday, April 30, 2015 11:09 AM
  • Thanks Mikee. This sounds like a solution.

    I will test the export / import process and see if I get the desired result.

    Thursday, April 30, 2015 1:17 PM
  • I am now performing the following scheduled job on the main internet facing WSUS server:

    "C:\Program Files\Update Services 3.0 API Samples and Tools\WsusMigrate\WsusMigrationExport\WsusMigrationExport.exe WSUS-MAINWSUS01.xml"

    which exports out all the groups and approvals in XML format. Then performing an import to the standby server:

    "C:\Program Files\Update Services 3.0 API Samples and Tools\WsusMigrate\WsusMigrationImport\WsusMigrationImport.exe WSUS-MAINWSUS.xml All None"

    and this works great - all approvals and groups being migrated weekly.

    However I've noticed that the automatic approval rules aren't coming over. Is there a way to migrate these also?

    Friday, May 15, 2015 9:54 AM