Back To Basics : Windows Server Update Services -WSUS Part3
Now we have created the GPO needed so that our clients can access the WSUS and all the required policy’s , now we reach the point that we need to make a decision about your branches , from my experience if a branch have less than 50 users you don’t need to place WSUS with them, they can download everything through the wan ( bits can handle it ) but if you have more users you will need either a child WSUS ( downstream ) or a complete replica , the first one is a complete wsus but we use the first WSUS as the update point ( instead of MS ) but the replica is created as identical to the one we have ,so every change we make it will be replicated ( the replica will not download from the internet but it will download from the main server ( like RODC in AD ) .
usually its administration needs if you have admins in the remote sites use the normal downstream WSUS but if you will place the wsus just to save WAN bandwidth use replica .
there is a third way but its rarely used its to have one primary WSUS with selective test group and downstream that push to all users ( but I see this as unnecessary as you can do the same but with computers group )
now first order of things adjust the views
next we move to all updates
now we arrange by supersedence and decline everything superseded
decline this
and
now we create our Test Computer Group
now we add machines from all our departments to test the affects of the updates on our applications
now filter the view to have only the needed updates
the step after is to approve critical updates
we select only our test group
next we move one to the security updates
add MSRC severity and approve the critical to the test group as above
next step Appling Auto approval rules from options
the definition updates will help in a lot of things and have zero impact on your environment so it can be auto approved
I have installed a second WSUS using the same steps in the first post
to create normal downstream
to create replica just mark the check box
note that all options are disabled as soon as we checked the replica
you will need only to define the sync schedule
now we have WSUS up and running and machines are showing up on WSUS now we have one problem roaming laptops , what well happen if 10 users are having a meeting in one branch , what if you have 100 users moving around , this will impact your wan connections greatly , so to solve this issue ( in the branches that have WSUS server )you can redirect the users to that server
now we go to the Active Directory Sites and Services
create the needed sites and their subnets (don’t forget to assign the subnets to a site )
the step after we open the GPMC and create the needed GPO for each site ( as in Back To Basics : Windows Server Update Services -WSUS Part2 )
![image_thumb[1]](http://imagehost.ahmedhusseinonline.com/2012/07/image_thumb110.png "image_thumb[1]")
now the step after is to link the GPO to the site so that when user change his location ( his IP ) AD will know his site then apply the appropriate GPO
![image_thumb[2]](http://imagehost.ahmedhusseinonline.com/2012/07/image_thumb210.png "image_thumb[2]")
the final results
![image_thumb[3]](http://imagehost.ahmedhusseinonline.com/2012/07/image_thumb310.png "image_thumb[3]")
that’s it when users move his WSUS changes with him
some handy notes you will need
- wuauclt.exe /detectnow
wuauclt /r /reportnow - you can add one computer in multiple groups just use ( ; ) when entering the group membership in WSUS
here a trick I learned
when you download update in wsus it uses bits , the problem is that bits don’t use the full bandwidth it give other machines opportunity to use the network and don’t utilize much of the server resources
so if we switched the wsus to foreground it will become bandwidth monster (I have seen it consume near 100% of the bandwidth and leave the users with nothing ) so take care and switch this off after you finish
first download Server Diagnostic Tool from http://technet.microsoft.com/en-us/wsus/bb466192.aspx and extract it to c:\wsustools (you can use any name but make it short )
next run the command
wsusdebugtool.exe /tool:setforegrounddownload
now wsus can eat all the bandwidth it can find 
so setback and enjoy
