SCCM and WSUS questions...

[jbhaire2004]

Environment:

In my production environment I have SCCM 2007 R2 and WSUS 3.0 SP1 installed on a server running Windows Server 2008 SP1. There are additional servers are running the Windows Server 2008 Domain Controller role. The SQL database is being serviced by a separate server running SQL Server 2005 under Windows Server 2008.

 

I am currently testing the push of updates to a test collection with the intention of pushing updates to my production environment starting this weekend. As we are still standardized on running XP as our desktop OS, my thought was to start with pushing Windows XP SP3 and then move forward from there.

 

I have read "Configuring Software Update Point within SCCM" guide and have been reviewing the settings in WSUS and SCCM SUP. There are a few areas that I was uncertain about and I was hoping that I could get some clarification.

 

At the end of the "Configuring Software Update Point within SCCM" post, I noted a question about whether SCCM should be downloading updates from Microsoft or getting the packages from WSUS. After looking closer at the settings of WSUS and SCCM SUP; I was uncertain of this myself. Additionally I found a few settings available through WSUS that appear to be unavailable in SCCM SUP. As far as I can tell, SCCM SUP only has the option to download updates once they are approved. WSUS on the other hand, has the ability to download all updates that match the Products and Patch types you define, prior to being approved. Assuming you have the disk space, I think it would be advantageous to have all updates automatically downloaded during off peak hours. (I say this as I have to consider synchronization can take hours to complete and in my environment I need to be mindful of heavy bandwidth utilization during business hours.)

Is it possible to have SCCM SUP download all the updates ahead of time? Is it possible, with a local install of SCCM SUP and WSUS on the same machine, to have WSUS download all the updates ahead of time then point SCCM SUP at the WSUS download store? Will adjusting any setting within WSUS after installing the SCCM SUP cause conflicts?

 

 

 

On another note, I have found that when working with pushing updates through SCCM SUP, it appears that the actually update files are duplicated in multiple location on the drive. SCCM downloads the update to its default location (let's say D:\SMSPKGD$), then when the update package is created the update is then copied again to the package storage location (let's say D:\Package_Repository). Is that normal? It just seems odd to burn disk space twice.

 

Thanks in advance for any insight that can be offered,

jbhaire2004

[anyweb]

its a good question and i'll try and answer it as best as i can, but before i do, remember that you should do your configuring within SCCM and not within WSUS, even if WSUS appears to offer options that might be nice to have, SCCM must do the work.

 

now to your points..

 

As far as I can tell, SCCM SUP only has the option to download updates once they are approved.

 

SCCM will not download any updates unless you tell it to, and that is not a synchronisation, but rather when for example you right click on an update in your search collection and choose Download.

 

WSUS on the other hand, has the ability to download all updates that match the Products and Patch types you define, prior to being approved.

 

yup, but this isn't wsus it's SCCM leveraging off of a WSUS server. you could download all updates that maatch the products you wanted in SCCM by setting up appropriate search folders and manually selecting the updates you want to download, not too hard to do, but some manual work is involved

 

Assuming you have the disk space, I think it would be advantageous to have all updates automatically downloaded during off peak hours, as synchronization can take hours to complete and many environments need to be mindful of heavy bandwidth utilization during business hours.

 

synchronisation from a SCCM perspective is the act of querying a wsus server to ask microsoft update for a list of patches available, sccm will then update its database's accordingly but the updates themselves are not downloaded until you select them.

 

Is it possible to have SCCM SUP download all the updates ahead of time?

 

yes, but then you'd have to select 'all the updates' in your search folders and choose to download them and go through that process,

 

Is it possible, with a local install of SCCM SUP and WSUS on the same machine, to have WSUS download all the updates ahead of time then point SCCM SUP at the WSUS download store? Will adjusting any setting within WSUS after installing the SCCM SUP cause conflicts?

 

yes it possible to get wsus to download everything by changing a setting on the wsus admin console, however its not recommended, I'll see if i can find that info and share it here, but like i said, you shouldn't do it

[jbhaire2004]

Thank you very much anyweb. The last point you addressed was what had me questions my configuration. Ideally I'd like to have the all the updates auto-downloading during off peak hours. If the alluring and seemingly possible method of accomplishing this by toggling that setting in WSUS is not recommended, I would be more hesitant to attempt it. I would however be curious as to the reason why it’s not recommended.

 

Along those lines, in SCCM there is an option under Component Configuration -> Software Update Point Component -> Properties (Right Click Menu) -> Sync Settings (Tab); where you can change a setting from “Synchronize from Microsoft Update” to “Synchronize from an upstream update server”. I am uncertain as what exactly that is referencing. Is that referring to data about updates or the updates files themselves?

 

Is there a supported method to in which you point SCCM to a WSUS server that relies on and upstream update server for its update files? Meaning, can you configure 2 WSUS server in the environment, with the WSUS#1 downloading everything from Microsoft while WSUS#2 is configured to look to WSUS#1 as an upstream server for source files?

 

With the supported manual initiation of downloads by selecting “Download Software Updates” from the Right Click Menu, is there a way to go through the approval process at 12:00pm yet delay the download from happening till a later specified time, say 3:00am?

 

Related to the manual download initiation, when creating Search Folders, I encountered 1 unexpected instance. I followed your "Configuring Software Update Point within SCCM" guide as well as worked through Chris Stauffer’s “SCCM Patch Management” documentation. In creating the “All Microsoft Patches” search folder, I found that some of the expected patches were missing. I went back through and found that by defining “Bulletin ID = MS” you miss Service Packs, Critical Updates, etc. This that something that occurs by design? By using the “Bulletin ID = MS” what should be included?

 

Still had one question from my first post:

On another note, I have found that when working with pushing updates through SCCM SUP, it appears that the actually update files are duplicated in multiple location on the drive. SCCM downloads the update to its default location (let's say D:\SMSPKGD$), then when the update package is created the update is then copied again to the package storage location (let's say D:\Package_Repository). Is that normal? It just seems odd to burn disk space twice.

[anyweb]

ok have a read of this article on MSDN regarding Synchronizing from Microsoft Update or an Upstream Server

 

An organization can have one or more WSUS servers. Using multiple WSUS servers allows you to scale WSUS in a large organization. If the organization uses multiple WSUS servers, one of the servers will act as the upstream WSUS server (the remaining servers are downstream servers). You use the upstream server to specify the updates that you want to synchronize with Microsoft Update. The upstream WSUS server should have the IUpdateServerConfiguration.SyncFromMicrosoftUpdate configuration setting set to true.

 

Downstream servers synchronize updates from the upstream WSUS server. There are two forms of downstream servers: autonomous and replica. An autonomous server synchronizes the same updates as the upstream server; however, it can create its own target groups and manage its own approvals.

 

To specify that an autonomous downstream server synchronize with the upstream WSUS server, set IUpdateServerConfiguration.SyncFromMicrosoftUpdate to false and call:

 

* IUpdateServerConfiguration.UpstreamWsusServerName to specify the name of the upstream server from which you want to synchronize

 

* IUpdateServerConfiguration.UpstreamWsusServerPortNumber to specify the port number to use to communicate with the upstream server

 

* IUpdateServerConfiguration.UpstreamWsusServerUseSsl to specify that you want to use a secured connection to communicate with the upstream server

 

A replica downstream server replicates the upstream server. The replica server synchronizes the same updates as the upstream server, and has the same target groups, approvals, accepted license agreements (EULAs), and declined status as the upstream server. The only difference between an upstream server and the replica server is the clients that are assigned to the target groups.

 

You specify if the server is a replica downstream server when you install WSUS; you cannot modify this setting. (See IUpdateServerConfiguration.IsReplicaServer.)

 

Downstream WSUS servers receive synchronization settings from the upstream WSUS server. The only settings you can change on the downstream server is the synchronization schedule. You can also start and stop the synchronization process on the downstream server.

 

and from your last post

 

Still had one question from my first post:

On another note, I have found that when working with pushing updates through SCCM SUP, it appears that the actually update files are duplicated in multiple location on the drive. SCCM downloads the update to its default location (let's say D:\SMSPKGD$), then when the update package is created the update is then copied again to the package storage location (let's say D:\Package_Repository). Is that normal? It just seems odd to burn disk space twice.

 

it does do this, and you just have to accept it i guess

 

I set my search folders up as follows, this way i get to see/pick whatever updates I want, for example, if i want the service packs i can take them from the OS All Updates search, and so on

 

does this help ?

 

 

and finally, from the SCCM help file:

 

The Sync Source tab contains the following elements:

 

Synchronize from Microsoft Update

 

Specifies that the software update point synchronizes with Microsoft Update. This setting should be selected for only the software update point that is highest in the Configuration Manager 2007 hierarchy.

 

Synchronize from an upstream update server

 

Specifies that the software update point synchronizes with an upstream update server. The software update point at the parent Configuration Manager 2007 site is automatically configured to be the upstream update server.

 

Do not synchronize from Microsoft Update or an upstream update server.

 

Specifies that the software update point does not synchronize with any server. Select this option if using the WSUS export/import function to obtain software update definitions. For more information, see How to Synchronize Updates Using Export and Import.