One of the best practices to keep safe your environment is to keep up to dates your Workstations and Servers.
You have the option to configure one by one your Workstations to download the Windows Updates automatically out of working hours.
But this is not a solution when you have hundred of Workstations and Servers.
WSUS it's a solution from Microsoft that can use it to centralize and monitoring the Windows Updates in every Windows device.
For those that you have the Servers and Workstations in the same physical location you can cover your requirements from the first paragraph How to install the WSUS Upstream Server
But for the rest that your infrastructure include Branch Offices or your Servers located in a Private Cloud of a Datacenter then you must setup one WSUS Upstream Server and WSUS Downstream Server for every physical location which include Workstations or Servers.
WSUS can use it in different infrastructures like Autonomous Mode, Replica Mode, Offline Mode.
I wrote this article to explain how can use the Replica Mode
How Replica Mode Working
Replica Mode works by having an Upstream Server that shares updates , computer groups, approval status with downstream server. The Replica Mode inherit update approvals from Upstream Server and you can't administered separately.
With this infrastracture type can centralize the administration and can be manage from one location.
For better understanding see the design of how is working
Before start any implementation you must fullfil the following requirements
- Allow port tcp/8530 between WSUS Upstream Server and WSUS Downstream Server without SSL.
- Allow port tcp/8531 between WSUS Upstream Server and WSUS Downstream Server with SSL
If you don't have any WSUS in your environment the first step is to setup a WSUS in your Head Office which will has the Role of the Upstream Server.
Read the article of the above link How to install & configure WSUS in Windows Server 2016 and then continue with the WSUS Best Practices on Windows Server 2016
How to install the WSUS Downstream Server
After finish with the installation and configuration then you can proceed with the installation and configuration of the Downstream Server
The process is straightforward which i will explain it now
- Open Server Manager
- Click Manage -- Add Roles
- Click Next
- Keep the Role-Base and featured based installation and click Next
- Once again Next
- Check the Windows Server Update Services.
- Click Add Features
- Click Next
- Click Next
- We don't use SQL Server so leave the default settings and click Next
- Specify the path that you want to store the updates. It's recommended to store in different partition.
- Just click Next for the IIS
- Don't change anything
- Click Install and wait until finish the installation
How to configure WSUS Downstream Server
After the installation finish succesfull it's time to configure the WSUS as Downstream Server
- Click in the Flag from the Server Manager and select Launch Post installation Tasks
- Or open the Windows Server Update Services from Server Manager -- Tools
- The first Window explain the requirements that you must cover to proceed. Click next
- Leave or uncheck the option and click Next
- Click the option Synchronize from another Windows Server Update Services
- Type the FQDN of the Upstream Server
- Base on your requirements check the This is a replica of the Upstream. Click Next
- Click Start Connecting.
- If you don't have configure to allow the appropriate ports in firewall then you will receive an error like the following
- Select the Language for the Windows Updates. If you don't have Windows in other language except English then select only the English. Unless select the appropriate languages base on your requirements.
- Schedule the Synchronize. I would like to note that the Synchronize will be between this WSUS and the WSUS Server that you have select in previous steps.
- Check the Begin initial synchronization and click Next if you want to start immediately after finish the Configuration
- Click Finish
- After finish the configuration then login in WSUS Upstream Server
- Expand the WSUS and click in Downstream Servers.
- Verify that the Downstream Server located there
- Then right click and select Add to Server Console
- This options add the Downstream Server in the Console to manage it from the Upstream Server
- Click in the Downstream Server and from the right side click Synchronize Now to download all the Windows Updates from the Upstream Server.
- Remember that when you click Synchronize Now in the Downstream Server do the following
- Download Windows Updates from the Upstream Server
- Update the members in the Computer Groups if has added or removed.
- As you can see the recommended is to has an SSL to secure the communication between WSUS Server.
- But as first step prefer to install and configure it without SSL and after finish the implementation to proceed with the SSL installation.
Until next article Have a nice weekend !!!