Jump to content


Photo

Install a SUP on remote server


  • Please log in to reply
19 replies to this topic

#1 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,669 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 08 May 2008 - 07:18 AM

In this guide I assume that you have installed and configured SCCM and have it all working ok. This guide assumes that you have installed another Server running Windows Server 2008 and that it is joined to the same domain that SCCM is joined to.

Note: The Remote SUP can handle connections from up to 25,000 client computers. If there are more client computers you can configure the active SUP to use an NLB cluster which can handle connections up to 100,000 computers.

Step 1. install IIS 7.0 on your WSUS server

Start the Server Manager (click Start, click Run, and then type CompMgmtLauncher).
In the tree view, select Roles, then in the Roles pane click Add Roles.

server_manager.jpg

In the Add Roles Wizard, click Select Server Roles, select the Web Service (IIS) check box, click Next, and then click Next again. You may see a message box Add features required for Web Server (IIS)? Click Add Required Features.

web_server_iis.jpg

In the Select Role Services window, make sure that the following services are selected:

* Common HTTP Features (including Static Content)
* ASP.NET, ISAPI Extensions, and ISAPI Features (under Application Development)
* Windows Authentication (under Security)
* IIS Metabase Compatibility (under Management Tools, expand IIS 6 Management Compatibility)

role_services.jpg

Click Next, and then review your selections. Click Install, and finally click Close when done.

close.jpg

Note: you can also review Technets Page on configuring IIS for WSUS.
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#2 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,669 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 08 May 2008 - 07:18 AM

Step 2. Install SQL 2005 SP3

Do all the steps in This post If you get a warning about IIS features not being installed then read this post and add the other IIS Role Services for SQL reporting.
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#3 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,669 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 08 May 2008 - 07:18 AM

Step 3. Install ReportViewer and WSUS on the WSUS server

Download and then Install the ReportViewer.

report_viewer.jpg

Download WSUS and then Double click on the WSUS exe, choose next at the welcome screen

wsus_welcome.jpg

choose the Full Server installation

full_server_installation.jpg

accept the license agreement

eula.jpg

Select your update source and make sure to select 'Store Updates Locally'

Select to use an Exisiting Database on this server

default_sql_database.jpg

click next after it has successfully connected to the database

sql_connected.jpg

for this LAB we will choose to Use an exisiting IIS website (however read the TIP below)

use_an_existing.jpg

Tip: The IIS default web site can be used when installing WSUS on the computer that will become the SUP however it is recommended that a WSUS web site be configured for WSUS running on the active software update point so that IIS hosts the WSUS 3 services on a dedicated web site instead of sharing the same web site used by the other configuration manager 2007 site systems or other applications. This recommendation is especially important when you are installing the software update point on the site server. When you are using a custom website for wsus 3.0 the default port numbers are 8530 for http protocol and port 8531 for https protocol (ssl). These port settings need to be specified when creating the active sup for the site.

windows_update_server_services.jpg

click Finish when done

completing.jpg

When the Wizard appears, click on Cancel

cancel.jpg
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#4 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,669 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 15 May 2009 - 08:43 AM

Step 4. Make the SCCM computer account a member of local administrators on your WSUS server

On the WSUS server, startup Server Manager and expand Configuration and bring up Local Users and Groups.

Click on Groups and then Double click on Administrators and click on Add. For 'Select This Object Type' click on Object Types, enter your administrative credentials if asked.

administator_props.jpg

For object types, select computers and click ok.

computers.jpg

click on Advanced and then Find Now

Select the SCCM computer object from the list and click ok, this is important as we want to grant our SCCM server access to control the WSUS server, failure to do this will result in ConfigMgr Status Error Messages in the SMS_SITE_COMPONENT_MANAGER log.

add_sccm_computer_account_to_local_admin.jpg

click ok again twice.


Note: for troubleshooting purposes here is what the log would say if you fail to do the above.

Severity Type Site code Date / Time System Component Message ID Description
Error Milestone WDN 5/15/2008 12:24:09 PM WIN-CILZXI45G1Q SMS_SITE_COMPONENT_MANAGER 1037 SMS Site Component Manager could not access site system "\\WSUS". The operating system reported error 2147942405: Access is denied. Possible cause: The site system is turned off, not connected to the network, or not functioning properly. Solution: Verify that the site system is turned on, connected to the network, and functioning properly. Possible cause: SMS Site Component Manager does not have sufficient access rights to connect to the site system. Solution: Verify that the Site Server's computer$ account has administrator rights on the remote site system. Possible cause: Network problems are preventing SMS Site Component Manager from connecting to the site system. Solution: Investigate and correct any problems on your network. Possible cause: You took the site system out of service and do not intend on using it as a site system any more. Solution: Remove this site system from the list of site systems for this site. The list appears in the Site Systems node of the Administrator console.



once you have configured the site systems computer account to be an administrator of the WSUS server, the site_component_manager will reattempt to install the site system after 60 minutes, and when successful you will see the following message in the SMS_SITE_COMPONENT_MANAGER log.

Severity Type Site code Date / Time System Component Message ID Description
Information Milestone WDN 5/15/2008 1:02:32 PM WIN-CILZXI45G1Q SMS_SITE_COMPONENT_MANAGER 1027 SMS Site Component Manager successfully configured site system "\\WSUS" to receive SMS server components. SMS Site Component Manager will now begin installing the components on the site system.


Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#5 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,669 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 15 May 2009 - 08:45 AM

Step 5. Install the WSUS server as a site system in SCCM

Expand the Site Database, Site Management, Site Settings node in ConfigMgr, and then expand Site systems. Right click and choose New, Server.

new_site_system.jpg

when the new site system server wizard appears enter your details like below paying close attention to the FQDN field

Note: When the computer account for the site server has access to the site system server and the site is in mixed mode, the settings on this page are optional. When the computer account does not have access to the site system server or when the site is in native mode, the following settings should be configured:

Specify a fully qualified domain name (FQDN) for this site system on the intranet: This setting must be configured for the active software update point site system when the site server is in native mode or when it is in mixed mode and uses Secure Sockets Layer (SSL). By default, this setting must be configured.

Specify an Internet-based fully qualified domain name for this site system: This setting must be configured for the active software update point if it accepts Internet-based client connectivity or for the active Internet-based software update point site system.

Use another account for installing this site system: This setting must be configured when the computer account for the site server does not have access to the remote site system.

Allow only site server initiated data transfers from this site system: This setting must be specified when the remote site system does not have access to the inboxes on the site server. This allows a site system from a different domain or forest to store the files that need to be transferred to the site server. The site server will periodically connect to the remote site system and retrieve the files. The Internet-based software update point might require this setting to be enabled.



wsus_image.jpg

Note: you may mistakenly enter something like wsus.windows-noob.local which would be wrong, it needs the FQDN which would be wsus.sccm2007.windows-noob.local, a simple PING test to the FQDN will resolve any confusion.


Select Software Update Point as the site role and click next

sup.jpg



enter your proxy settings if you have any then click next

proxy_settings.jpg

for Active Software Update Point, select the checkbox as below


active_settings.jpg

click next and verify your synchronisation source

sync_settings.jpg

leave synch schedule on 7 days

7_days.jpg

leave the classifications as they are *we can change them later if needed*

classifications.jpg

select your products, be careful to only select what you need or it wil take forever to download everything...

all_products.jpg

select your desired language (i chose english only)

language.jpg

review the summary and click next and then close.

On the ConfigMgr server, you should now see the newly added site system.

site_system_added.jpg
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#6 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,669 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 15 May 2009 - 09:32 AM

Expand the Software Updates node in ConfigMgr and right click on Update Repository, choose Run Synchronisation.

run_synch.jpg

answer Yes when prompted

yes.jpg
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#7 jeaostro

jeaostro

    Advanced Member

  • Members
  • PipPipPip
  • 137 posts
  • Gender:Male
  • Location:Norway
  • Interests:IT Security, SCCM, Tandberg

Posted 21 September 2009 - 08:35 PM

Two quick questions :)

Is there a reason not to use "Install Windows Internal Database on this computer" (WSUS Database)
Using MS SQL like you did will increase the license cost since we need a SQL license.

And is it a best practice to "create a Windows Server Update Services 3.0 Sp1 Web site?" (WSUS IIS Site)

Thanks for a great guide!

Best regards
Jean André

#8 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,669 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 22 September 2009 - 05:08 AM

good questions

using SQL 2008 or SQL 2005 as the database is preferred as you can properly manage the database and it's way more extendable than Windows Database

Using the WSUS website is also preffered as this separates the IIS resources

The IIS default web site can be used when installing WSUS on the computer that will become the SUP however it is recommended that a WSUS web site be configured for WSUS running on the active software update point so that IIS hosts the WSUS 3 services on a dedicated web site instead of sharing the same web site used by the other configuration manager 2007 site systems or other applications. This recommendation is especially important when you are installing the software update point on the site server. When you are using a custom website for wsus 3.0 the default port numbers are 8530 for http protocol and port 8531 for https protocol (ssl). These port settings need to be specified when creating the active sup for the site.


Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#9 boozecow

boozecow

    Member

  • Members
  • PipPip
  • 17 posts
  • Gender:Male
  • Location:Montreal

Posted 30 August 2010 - 04:58 PM

Just want to add some notes from this wonderfull guide.

For example. I have a server HBM-WSUS and my SMS site name is SMS-MST

The Software Update point have to be install on BOTH server, not only on the HBM-WSUS. I lost some time figuring this out and asking me why the synchronisation failed.

The WSUS 3.0 SP2 administration console need to be installed on the SMS site.

Logs file for this is located in : SMS\LOGS\WSYNCMGR.LOG

Thanks again for the guide !

#10 Peter van der Woude

Peter van der Woude

    Advanced Member

  • Moderators
  • PipPipPip
  • 2,214 posts
  • Gender:Male
  • Location:The Netherlands

Posted 31 August 2010 - 01:40 PM

It only has to be installed on both, when they both have to act as an Software Update Point.

My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude


#11 drewgon

drewgon

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 29 November 2010 - 03:53 AM

It only has to be installed on both, when they both have to act as an Software Update Point.


Hi guys,


Dont mean to be bumping up an old post!..but having some problems with this.

Ive been trying to setup SCCM for couple days..with only some luck.

Trying to get the pre-existing remote WSUS server to work. Im on a LAN which is apart of a larger WAN..and we all have access to a Upstream windows update server within the WAN(Seperate from the microsoft update one.)

Our WSUS server obvasiously points @ the Upstream WSUS server...I have added this server as a 'Site system' and added the role..Im getting confused I dont think im looking @ the situation correctly. Do i need to set it to update from microsoft update or remote upstream..as im confused whether its took about the WSUS Server? or the SCCM..Also someone said above to add the SUP to the SCCM Site system..and also the WSUS Site System.

Everything im trying isnt wrking anyhow! Any ideas...I can give more info if I need = ) gotta leave work now!

Thanks in Advance.

#12 Peter van der Woude

Peter van der Woude

    Advanced Member

  • Moderators
  • PipPipPip
  • 2,214 posts
  • Gender:Male
  • Location:The Netherlands

Posted 29 November 2010 - 05:36 PM

I need some more information, like how does your environment looks like (servers and sccm-roles) and how do you want to configure the SUP's in it.

My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude


#13 chief21

chief21

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 16 December 2010 - 09:00 PM

Im sorry to open up an old post but I followed the steps in the guide and verified that the WSUS amdin console was installed on my SCCM server. I added the SCCM computer account as a local admin to the WSUS box and as a WSUS admin. However when I run the synchronization i get the following under my SMS_WSUS_SYNC_Manager status messages "SMS WSUS Synchronization failed.
Message: WSUS server not configured.
Source: CWSyncMgr::DoSync.
The operating system reported error 2147500037: Unspecified error
"
Is there something else I need to do. I did NOT add my SCCM server as an SUP only the WSUS server after adding it as a site system. Also in our environement we only have one SCCM server with all the roles since we are a fairly small shop. I also verified the ports are the same for both servers.

#14 wkdixon

wkdixon

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 28 January 2011 - 02:19 PM

I think we have the same setup as Drewgon. This is what I am working on getting working:

downstream WSUS --> Firewall --> WUS/SUP --> SCCM (WSUS/SUP attaches to another WSUS server for it's updates)

I am a little confused when configuring the role and say whether is connects to MS for updates or an Upstream server. When configured for an upstream server I get errors. Am I actually configuring the WSUS settings on the WSUS server from the SCCM when setting this role?

Thanks

#15 fmalik

fmalik

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 20 December 2011 - 09:38 AM

My SCCM SUP server is behind a proxy server that requires a username and password. The password is passed in clear text. WSUS has a check box to allow for this: Allow Basic Authentication, but SCCM does not have the same, so every time SCCM updates the WSUS proxy settings, the check box is cleared.
I am using SCCM SP2 R3 and WSUS SP2 and on both servers i have windows 2008 R2.

Any help will be highly appropriated.

thanks

#16 fmalik

fmalik

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 20 December 2011 - 11:30 AM

Thanks Mates i found the solution.

#17 iontoria

iontoria

    Member

  • Members
  • PipPip
  • 11 posts

Posted 29 March 2012 - 07:42 AM

Hello:
I´m trying to make a implementation of WSUS/SUP in my SCCM 2012 lab. I have 1 CAS and 2 primary sites (one for servers and one for intranet clients). I have to implement WSUS and I´m planning to put it under NLB. So I have deploy 2 Windows 2008 Servers, joined them to the domaind and I have installed WSUS 3.0 SP2. I have installed and configured NLB with these two machines. After that, from the primary site Configuration Manager 2012 console I have added one new site system server with the MP and SUP roles. In the Primary Site-->Site Configuration-->Sites i have configured the Software Update Point component with these settings:
- Use Network Load Balancing cluster for active siftware update point
- Put th NLB IP adress and the ports (8530 and 8531 in my case because I have a custom web site for WSUS).
- An account with privileges.

I have several doubts about this schema:

1) firstable, is the rigth way to make this type of implementation?
2) In the primary site there´s no WSUS installed, only SUP role. Is this correct? Do I have to install WSUS 3.0 SP2? Full installation or only administration console?
3) The CAS server is the only active software update point. It´s OK?

Any help about this would be appreciated.

thanks in advance.

Ivan

#18 saurabh

saurabh

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 09 May 2012 - 04:24 PM

Hi,

On the Product Selection screen, I am not seeing Office 2007 as an option to select, Could you please help me with that?


Thanks,
Saurabh

Attached Images

  • Snapshot.jpg


#19 Paul.Saade

Paul.Saade

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 18 September 2012 - 11:00 AM

Hello,

i have SCCM 2007 (mixed mode) installed on windows server 2008 R2 and i have WSUS installed on a remote windows server 2008 R2. i am trying to run synchronization from software deployment with no luck and it seems that wsus is not taking the products to download from SCCM as if it is not seeing SCCM (WSUS properties are different than Software Updtae Point Component Properties in SCCM). i have the following scenario:

System Site1 ("Specify FQDN for this system site on the intranet" is checked and the FQDN of the SCCM server is used as Intranet FQDN) on which i added the Software Update Point as Non active.
System Site2 ("Specify FQDN for this system site on the intranet" is checked and the FQDN of the WSUS server is used as Intranet FQDN) on which i added the Software Update Point as active

i installed full WSUS on WSUS server while on SCCM server i installed WSUS administration console and it is connected to WSUS server (WSUS using port 8530 and 8531)

In the component configuration General Tab "Active Software update point on remote server" is checked with "Port number" and "SSL Port number" being 8530 and 8531 respectively while "Active Server Name" is WSUS server name (Different than WSUS site server name). in the Sync Settings Tab "Synchronize from Microsoft Updates" is checked.

I am not using SSL for WSUS and i have no proxy running.

Every time i try to synchronize i get the error in the event viewer: WSUS server not configured

Any suggestions?

#20 Peter van der Woude

Peter van der Woude

    Advanced Member

  • Moderators
  • PipPipPip
  • 2,214 posts
  • Gender:Male
  • Location:The Netherlands

Posted 18 September 2012 - 07:08 PM

Where did you install the Software Update Point(s)?

My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Locations of visitors to this page