SUS as an administrative point for OS updates. Updates are approved on the server, then client downloads and installs them automatically. SUS consists of several components:

• SUS running on an IIS server
• SUS admin website
• Automatic Updates, client side
• Group Policy, to modify client registry settings for windows update

Installing SUS

• choose file locations, metadata (information about the patch) must be downloaded to the server. Patches themselves may be stored on the server or left on Microsoft's servers for the clients to download themselves. If downloading the patches, allow at least 6GB of disk space
• Language Settings, specify which localisations you want patches for
• Handling New Versions of previosly approved patches: do you want them to be automatically accepted, or require re-approval
• Ready to Install: note URL for client connections (http://SUSserver)
• Install
• Completion: note URL for admin website (http://SUSserver/SUSAdmin)

When installed on Windows 2000 server, SUS setup launches IIS lock down Wizard: not necessary on Windows 2003, as IIS is already locked down. Lock down may affect functionality of any existing websites on the server, therefore it is recommended that you install SUS on a dedicated server

Configuring SUS

SUS can be configured to access Windows Update through a proxy that requires authentication, but Automatic Updates cannot. First site server will synchronise to Microsoft's server: subsequent SUS servers can be made to synchronise with Site Server. A number of topologies possible:

1. Multiple Server: each SUS server synchronises content from Microsoft and maintains its own approval list
2. Strict Parent/Child
3. Loose Parent/Child: Parent synchronises content with Microsoft, but each child maintains own approval list
4. Test/Production Topology: Parent downloads and approves updates for testing, test clients download updates. When satisfied with test phase, updates can be copied manually to content distribution point on a second IIS server. Production SUS servers synchronise with this distribution point

Synchronisation can be set to manual or scheduled. Automatic Updates client included with XP SP1, 2000 SP3 and 2003. Standalone client available for earlier releases of supported platforms. Use SMS, GPO or logon script to install msi client package. Autoatic Updates supports to dowload behaviours: Automatic and notification. Notification registers notification in event log and displays a notification area icon when an administrator logs in. Two options for installation: notification and automatic. Notification will display message when an administrator logs in. Automatic installation will warn logged in administrators that a scheduled install is about to start, providing option to cancel if required. Installation occurs automatically if no-one is logged in. If computer is not turned on at scheduled install time, update will occur at next scheduled install. Updates that require a reboot will prevent any new updates being discovered until the reboot occurs. Use GPO to redirect clients to your servers. Policies:

• Configure Automatic Updates: notification or automatic
• Reschedule AU Scheduled Installs: value of 1 to 60 represents number of minutes to wait for install after system startup
• No Auto-restart
• Specify Intranet Microsoft Update Service Location

Clients poll SUS server every 22 hours minus a random offset

Monitoring SUS

Monitor Server page displays update statistics. Metadata written to disk and stored in memory to improve response to client requiests. Logfiles:

• Synchronisation Log: history-sync.xml
• Approval Log: history-approval.xml
• Windows Update Log: %windir%\windows update.log (on client)
• wutrack.bin: client interaction log
• IIS logs: %system32%\logfiles\w3svcl
• Eventlog: SUS logs synchronisation and approval events to the system event log

Troubleshooting:

1. click Monitor Server, Refresh to reload memory cache “ necessary if new updates are not showing
2. restart synchronisation service
3. restart IIS, if you cannot connect to the website
4. Client registry Keys:
   • HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
   • WUServer: http://SUSserver
   • WUStatusServer: http://SUSStatusServer
   • UseWUServer: 1 (AU subkey)

Backing Up SUS

Backup:

• Folder that contains SUS content
• SUS admin website (in wwwroot)
• IIS metabase (from IIS console, select Server, Action, All Tasks, Backup/Restore Configuration. Defaults to %windir%\system32\inetsrv\metaback)
• Auto Update virtual Directory (by default in wwwroot)

To recover server:

• reinstall server
• reinstall IIS and SUS
• restore SUS backup
• use IIS console to restore config

Service Packs

Download whole service pack or download installer program, which downloads the service pack as part of the installation. CDs also available, which may contain extras. Service pack executable can either be executed or extracted, using the -x switch, to a folder. When using group policy, assign service pack through computer-based policy (use unc path to update.msi).