myITforum.com Community Forum myITforum.com Community Forum

Home  Forums  Blogs  Live Support chat  Search Articles  Wiki  FAQ  Email Lists  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

All Forums RSS Feed Subscription:


           



SCCM design and WUS/SUP

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
  Printable Version
All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> SCCM design and WUS/SUP Page: [1]
Login
Message << Older Topic   Newer Topic >>
SCCM design and WUS/SUP - 4/11/2008 10:34:30 AM   
zemporio


Posts: 99
Score: 0
Joined: 9/16/2005
From: Golden State
Status: offline 		Hi everybody,

i have one central site and two primary site reporting to central site and than around 25 secondary sites reporting to Primary sites.

I was wondering how to setup WSUS/SUP in our enviroment, In SMS 2003 you would install ITMU on Central Site and the Central Site would manage all security updates. I am reading the SCCM deployment guide and its recommending to install WSUS and SUP on Central and Primary Servers.

Is this how should i setup our enviroment? how did you guys do it? what is the best practice?

Post #: 1
RE: SCCM design and WUS/SUP - 4/14/2008 2:43:04 PM   
dougeby

 

Posts: 14
Score: 0
Joined: 12/3/2007
Status: offline 		Hello,

In Configuration Manager 2007, you MUST install a software update point (SUP) on each primary site in the hierarchy.  You can still centrally manage updates from the central site, but software updates relies on the SUP/WSUS infrastructure to be in place on each primary site in the hierarchy.  The decision that you will need to make is whether or not to install a SUP at any/some/all of your secondary sites.  Clients assigned to secondary sites will use the SUP at the parent primary site if one is not installed at the secondary site.  Your decision to install a SUP at the secondary site is much like your decision to install a proxy management point at a secondary site.

Thanks,

Doug


(in reply to zemporio)
Post #: 2
RE: SCCM design and WUS/SUP - 4/14/2008 8:07:52 PM   
zemporio


Posts: 99
Score: 0
Joined: 9/16/2005
From: Golden State
Status: offline 		Thanks Doug,

I am reading that the GP for Automatic Updates has to be changed also. What is best practice recommended settings? i am seeing on lots of my clients with an error: Failed to remove update source from WUAgent.
 
If i enable SUP on my primary site, do i have to also install WSUS on each primary server?

I am just trying to understan SCCM, its bit different than SMS.

thx again,
emp


(in reply to dougeby)
Post #: 3
RE: SCCM design and WUS/SUP - 4/15/2008 9:58:42 AM   
snekar

 

Posts: 1
Score: 0
Joined: 4/15/2008
Status: offline 		I think that you only need to install the full WSUS 3.0 once and then point your central site to that server.  However, you need to install the WSUS 3.0 administrator console on any site that you intend to use an SUP.  I beleive that the way it works is that you install WSUS 3.0 server, but do NOT go through the configuration.  You use your highest uplink point (your central server, probably) and install an SUP which you point at the WSUS 3.0 server.  SCCM will then configure the synchronizations and schedules and all of that stuff.  You can then set up SUP on your other servers and link them to the central site.

P.S. - you don't HAVE to create a seperate server for the WSUS server, you can install it directly on your central site.  It's all about performance.

(in reply to zemporio)
Post #: 4
RE: SCCM design and WUS/SUP - 4/15/2008 11:03:48 AM   
zemporio


Posts: 99
Score: 0
Joined: 9/16/2005
From: Golden State
Status: offline 		thx snekar,

regarding the GPO. I have to only change the settings under Windows Update: Specify intranet Microsoft service location to enabled and the value to be http://servername:8530. correct?
I can leave the Configure Automatic updates to be disabled.


(in reply to snekar)
Post #: 5
RE: SCCM design and WUS/SUP - 4/16/2008 3:37:05 AM   
dougeby

 

Posts: 14
Score: 0
Joined: 12/3/2007
Status: offline 		Configuration Manager will set the local policy "Specify intranet Microsoft service location" on the clients automatically so if you aren't using the SUP method for installing clients then it's best not to set the domain policy and let Configuration Manager configure the policy.  Otherwise, the domain policy will overwrite the local policy on clients and there is potential for misconfiguration.

As far as the previous response about just installing the full WSUS 3.0 installation on the central site and installing the WSUS administration console (not the full version) on child primary sites...that's not correct.  You must install the full WSUS 3.0 (or SP1) version on every Primary Site in the hierarchy for software updates to work correctly.  After you install the full WSUS 3.0 installation you can exit the WSUS Configuration Wizard.  Configuration Manager handles all necessary WSUS configuration and will overwrite most settings that you configure in the WSUS console anyway.  The SUP at the central site handles the sync schedule, is the only SUP that connects to Microsoft Update (unless disconnected) to download the software updates metadata, configures most of the sync settings, etc.  The SUP at the child primary site gets the sync settings from the central site, initiates synchronization after the central site completes synchronization (the child receives a sync request), and during the sync process the WSUS server for the child site connects to the WSUS server for the parent site and retrieves sync settings (such as update classifications, products, language, etc.) and the metadata.  The SUP for a child site is automatically configured to synchronize from an upstream server as it knows it is connected to a parent primary site that has a SUP.

Started rambling, but hope that helps.

Oh...and IF the WSUS server (SUP site system) is remote from the site server, then you DO need to install the WSUS administration console on the site server so the necessary WSUS API files are available on the site server, but this has nothing to do with the actual SUP for the site.

Doug

(in reply to zemporio)
Post #: 6
RE: SCCM design and WUS/SUP - 4/17/2008 10:25:37 AM   
zemporio


Posts: 99
Score: 0
Joined: 9/16/2005
From: Golden State
Status: offline 		Thx Doug,

now it makes sense. I installed the WSUS on Primary Sites and most of the errors went away, the sync and everything else is working fine. Only problem i see now is i have only 37 clients that have "Scan Completed", rest if it have status message Scan Failed or Scan is waiting for content. I have to do some troubleshooting to see what's the problem. I am sure some group policy is causing conflict. Before i came they had at some point SUS server installed.

thx again Doug!!!

(in reply to dougeby)
Post #: 7
RE: SCCM design and WUS/SUP - 4/22/2008 3:02:15 PM   
iburnell


Posts: 239
Score: 1
Joined: 5/14/2003
From: London, UK
Status: offline 		Just add another thing. Although you don't have to you can install WSUS and SUP at secondary sites. If you do then the client PCs run their compliancy scans against the WSUS database at their local (secondary) site - if you don't have them then the clients look to the WSUS database from the assigned site i.e. parent primary

Think of it like a proxy Management Point. If its there clients will use it - if not they use the parent primary

_____________________________

Ian Burnell
London UK

(in reply to zemporio)
Post #: 8
RE: SCCM design and WUS/SUP - 4/23/2008 11:10:39 AM   
enderW

 

Posts: 1
Score: 0
Joined: 4/23/2008
Status: offline
quote:

Configuration Manager will set the local policy "Specify intranet Microsoft service location" on the clients automatically so if you aren't using the SUP method for installing clients then it's best not to set the domain policy and let Configuration Manager configure the policy. Otherwise, the domain policy will overwrite the local policy on clients and there is potential for misconfiguration.
 

Doug thx for that comment. I am kind of worried about this.
I have WSUS installed on my central server and primary servers but I don't really know how it will play out when I install the SUP role on them.
Do all the clients automatically have their local group policy enabled and then set to get updates from their respective primary servers? I would really not like this to be the case.
Is there a way to pick a few machines to test this out on instead of All or nothing?

(in reply to iburnell)
Post #: 9
Page:   [1]
All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> SCCM design and WUS/SUP Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts




Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.234