SUS Server..Download Updates

[BigB]

Hi Everyone,
I was thinking of implementing SUS in our company. I have read quite a few articles on that and did not really find something helpful and how to automatically have the clients look at my SUS server. I know that I could go change the registry setting for each client, but therez gotta be an automated way that would change those registry settings as it would be insane to go to 500 machines and do the registry change manually.

Also, is it true that I can't have any Anti Virus software running on the server ? How safe is that ? How about any firewall ? Can I have that turned on ?

All your expert advices will be really appreciated. Thanks for your time.


-BigB

[corturbra]

Hello

We have AV running with no issues.
The registry setting you could set using a login script, have it write back to a folder somewhere so you know when the user has logged in and updated and remove the files from their login.

It's not that tricky to setup to be honest, install on the server, synchronise and then approve.

We didn't change the registry settings in the end, I think that's a last ditch approach if your Domain policy doesn't work....

Adding the adm file into domain policy is easy and so are the settings, remember to add the computers/users in on the security for the domain policy, and the final tip, don't use the default policy, create a new one to mess with.

Test with a couple of machine first and look for the windowsupdate.log on the PC, that will tell you where the PC thinks it's update server is.

[BigB]

Hey Corturbra,
So how do you have the clients look at your SUS Server ? Do you actually do something on the SUS Server or modify on the client side ? What kind of policies would you recommend setting on both the client/server ? What are your h/w specs on the server ? I have a 2.5 Ghz, 512mb box and planning to put W2K3 on it (currently has XP Pro).

We currently have an NT Domain, few 2000 and 2003 servers. So do not have Active Directory running. Would that be a problem? Please advise and what approach would I take in my environment ? Will SUS work ?

Thanks for your help/time.

- BigB

[corturbra]

BigB

Using the adm file on the Domain policy you tell the clients when they run the policy that the SUS Server is responsible for issuing updates... this could be done I guess by changing registry settings.

Mmmm not sure how to implement in your situation, we run it on a crabby old server with no problems at all, but we do have Active Directory running.... I guess what you would need to do is set a Local machine policy or work out the registry settings to set this up....

I'll have a think overnight about it and get back to you. It should be possible I would have thought to apply some kind of domain policy even without AD running.....

Just a quicky why no AD with 500+ users and several servers? When you say NT domain is that an NT 4 server.... Would be interested in more details of your setup actually, not to sort this problem but curiousity!

John

[BigB]

John,
I really appreciate you taking out some time and getting back to me.

The adm file, are you talking about the wuua.adm file ? Don't you need to have AD and Group Policies in place to have that work ?

I had read in the MCSE books that SUS needs to be on a dedicated server ? Don't know if that was a fact or a recommendation...obvisouly the first as it seems to be working in your case.

We have about like 40-50 XP boxes and quite a few 2000 ones. It would be a nightmare to go to every single machine to update their registry w/o GPO and AD in place. Therez gotta be an automated way to change the registry settings.

My environment, we mainly have NT Domain and PDC, BDC servers. We have a few Win2k and a few W2K3 servers lately. I am not really sure how it would work in this scenario either.

I'm working on my MCSE right now but still not that confident on dealing with AD and changing from NT to W2K3 or I could approach my boss with that suggestion. Have you done an upgrade like this ? How difficult is it to go down that road ? We are talking moving around 400 users on the new W2k3 AD structure.

Once again, I appreciate all your help.

- BigB

[Radical Dreamer]

I'm using it via GPO, but what is the reg edit that needs to be made, just in case I want/need to use it in the future?

[CeeBee]

I've been running SUS for almost a year now. To make all clients "look" at the SUS use a group policy. It's under Computer Config>Administrative templates>Windows update Of course, this assumes that you have a Win2k AD DC since NT4 doesn't support group policy.
Otherwise you have to mess with the settings on the client PC's under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate
To change the registry settings you could write a script to do that and remotely run it on a list of PC's.

[BigB]

CeeBee,
Any clue on how to write a script that would modify those registry settings ?

[CeeBee]

dump this into a wu.reg file
------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate]
"WUServer"="http://<your SUS FQDN>"
"WUStatusServer"="http://<your SUS FQDN>"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000006
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"UseWUServer"=dword:00000001
"RescheduleWaitTime"=dword:00000002
-------------------------------------------------------
This sets the PC to check daily at 6AM, download and schedule automatic install, prompts user to reboot if a reboot is needed.
copy the file on a network share \\server\share
make a file "computers.txt" containing the list of computers you want to modify (one per line)
then having domain admin rights use psexec from www.sysinternals.com in a .bat script like:
for /f %%i in (computers.txt) do psexec \\%%i regedit /s \\server\share\wu.reg
(if running from command prompt rather than from a .bat use %i instead of %%i)

[CeeBee]

For some reason "Windows" in the key name appears broken in the post.. well.. it's one word with no spaces

[BigB]

CeeBee,
Thanks for all your help.
Although, where is the wu.reg file located ? I did a search on my c drive and din have ne luck.
Also, the script below, is that all of the script I would need ? I came across some real long scripts abt 7-9 pgs right now so lemme knw.
I checked for PSExec on that site and din find it. Is it named PSExec ?

The last statement u have
"(if running from command prompt rather than from a .bat use %i instead of %%i)" is there an 'i' after the % signs ? U could prob tell, I have never written scripts before..

Thanks for all your help.

[CeeBee]

Although, where is the wu.reg file located ? I did a search on my c drive and din have ne luck.

You copy the script between the "----------" above in a text file and save it as wu.reg

Also, the script below, is that all of the script I would need ? I came across some real long scripts abt 7-9 pgs right now so lemme knw.

that's all!

I checked for PSExec on that site and din find it. Is it named PSExec ?

psexec is part of pstools. it's here

The last statement u have
"(if running from command prompt rather than from a .bat use %i instead of %%i)" is there an 'i' after the % signs ? U could prob tell, I have never written scripts before..

yes.
You should practice on a single test machine before running it domain-wide.
More info about the WU registry settings here

[BigB]

Buddy...I appreciate your help big time man. I will owe u a big one if this all works out and falls in place. I will give it a try and let you know. I will be out tomorrow so will try in a couple days. But please chk these posts.

Thanks,
BigB

[BigB]

CeeBee,
I understand the registry settings and stuff. I'm not quite sure on the scripting part.
1. Does the wu.reg file need to be saved on the server share that will be the SUS server or anywhere on the network.
2. I downloaded psexec but just found an exe file. How would I modify that and if you don't mind could you tell me what those commands are actually doing ?
"for /f %%i in (computers.txt) do psexec \\%%i regedit /s \\server\share\wu.reg (if running from command prompt rather than from a .bat use %i instead of %%i)"
just for my curiousity & better troubleshooting.


Thanks
BIgB

[CeeBee]

1. Does the wu.reg file need to be saved on the server share that will be the SUS server or anywhere on the network.

Any network share the computers can access. I normally create hidden shares for this purpose (share names ending in '$')

2. I downloaded psexec but just found an exe file. How would I modify that

modify what??? the executable??? you just use it!!!

and if you don't mind could you tell me what those commands are actually doing ?
"for /f %%i in (computers.txt) do psexec \\%%i regedit /s \\server\share\wu.reg

the command will parse the "computers.txt" file, assign to variable %%i the value it reads from each line and execute the command after "do"
ex. if your "computers.txt" has these 2 lines:
johndoe
smithlaptop
the following 2 commands will be executed:
psexec \\johndoe regedit /s \\server\share\wu.reg
psexec \\smithlaptop regedit /s \\server\share\wu.reg

psexec will cause the command to be executed on the machine specified, therefore each of those 2 computers will execute:
regedit /s \\server\share\wu.reg

oh, you might have to use
for /f %%i in (computers.txt) do psexec \\%%i -u <yourdomain>\Administrator -p <adminpassword> regedit /s \\server\share\wu.reg
to be able to access the network resources.