- In this video guide, we will be covering how to use a shared WSUS database for multiple software update points in SCCM. Using a shared WSUS Database is generally considered a best practice in well-connected scenarios since this offloads the vast majority of network impact if a client were to switch SUPs in SCCM.
Topics in Video
- Review the SCCM docs and why a WSUS shared DB is usually a good idea – https://youtu.be/y7w7hBSHShc?t=42
- Review why wsyncmgr syncs are faster when using shared WSUS database – https://youtu.be/y7w7hBSHShc?t=93
- Review current labs primary SUP with SQL DB, and secondary SUP using WID – https://youtu.be/y7w7hBSHShc?t=175
- Enable Debug and Verbose logging to wsyncmgr.log and wcm.log – https://youtu.be/y7w7hBSHShc?t=293
- Review how the WSUS_Configuration_Manager tread reads all available SUPs at startup and how it determines if it’s using a shared WSUS database – https://youtu.be/y7w7hBSHShc?t=419
- Review wsyncmgr.log for multiple SUPs in a non shared WSUS Database – https://youtu.be/y7w7hBSHShc?t=508
- Remove WID WSUS role service and add SQL WSUS role service – https://youtu.be/y7w7hBSHShc?t=686
- Configure SUP-2 to use SUP-1’s WSUSContent library folder for EULA/3rd-Party Update Content – https://youtu.be/y7w7hBSHShc?t=843
- Run WSUSUTIL.exe postinstall to change WSUS to use the shared SQL Database and Shared WSUSContent folder – https://youtu.be/y7w7hBSHShc?t=1005
- Resolve IIS misconfigurations after postinstall – https://youtu.be/y7w7hBSHShc?t=1215
- Add “\\” to the beginning of Physical path in IIS Content virtual directly
- Change Authentication for Anonymous Authentication to use WSUS Application Pool Identity instead of local IUSR account
- Start WSUS_Configuration_Manager and validate it updates SUP-2 configuration in the active SUP list to be a shared WSUS database – https://youtu.be/y7w7hBSHShc?t=1505
- Publish a third-party update to get a WSUS catalog change and run a SUP sync to review how the sync is now treated as a single SUP sync – https://youtu.be/y7w7hBSHShc?t=1637
- Setup shared WSUS database in a new clean WSUS installation on a new SUP rather than converting an existing SUP to a shared WSUS database – https://youtu.be/y7w7hBSHShc?t=1744
Commands and Notes:
- Powershell command to see WSUS installed role services: Get-WindowsFeature -Name UpdateServices*
- Powershell command to remove WSUS WidDB: Remove-WindowsFeature -Name UpdateServices-WidDB
- Powershell command to install WSUS SQL Database Connectivity: Install-WindowsFeature -Name UpdateServices-DB
- WsusUtil command: WsusUtil.exe postinstall SQL_INSTANCE_NAME=”SCUP.CONTOSO.LOCAL” CONTENT_DIR=”\\SCCM3-DPMPSUP-1.CONTOSO.LOCAL\WSUS”
- SQL_INSTANCE_NAME and CONTENT_DIR should be changed to for your environment details
- Great blog post version of using a shared WSUS Database – https://blogs.technet.microsoft.com/configurationmgr/2016/10/12/how-to-implement-a-shared-susdb-for-configuration-manager-software-update-points/
- Manually switch clients to a new software update point – https://docs.microsoft.com/en-us/sccm/sum/plan-design/plan-for-software-updates#BKMK_ManuallySwitchSUPs
- Use a shared WSUS database for software update points (Installation Best Practices) – https://docs.microsoft.com/en-us/sccm/sum/plan-design/software-updates-best-practices#bkmk_shared-susdb
- Managing WSUS from the Command Line – https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127395
I’m really grateful for your video’s I have learned so much, however I have a question about the shared content folder.
Is locating the Shared content folder supported on a DFS share supported?
In a failure scenario it would be good not to need to recover the content folder as well as the SUSDB.
I think it may be supported, but we have seen some issues with third-party updates (CAB) files sometimes deleting on DFS when multiple WSUS servers point to the same DFS share.
again a great video!
Is it possible to share the WSUS database in an untrusted domain scenario?
Example: SUP 1 = Domain 1; SUP 2 = Domain 2 (DMZ)
Yeah it is, you will need to use a connection account in the SUP site system.
just wondering how that works, as this is still about WSUS so far, not yet the SUP.
How can the 2nd WSUS connect to SQL in another domain without providing credentials?
Similar with the share, isn’t it?
In the SUP, I believe you can provide a SQL connection account.
I would also be very interested in the shared SUSDB configuration in an untrusted forest.
I don’t see a way to add a SQL conneciton account during the installation of the WSUS feature. (prerequisite)
The same with the share, which must be accessible during the WSUS setup. There is also no option for a connection account.
Or did I miss something? Is there another installation method?
Thanks for the help!
About using ssl for SUP on both server. I am planning to use the following setup:
On the primary site, I will have a share for wsus (\\server1\wsus).
Two SUP pointing their contentDir on that share and using the same DB.
Both SUP should be configured to use ssl, will it cause problem when browsing to get the EULA? When I am trying to browse the content (the dummy file) using the port 8531 I have a certificate error.
Should I have the site server name in the SAN of the certificate?
When e PR1 primary SUP and Sec1 Secondary site SUP hosted in remote place. can i restrict All clients from remote place to talk only to secondary site. will this work if i remove all the firewall connections which i have created to provide access to the remote clients to PR1 primary server ?
Can you share the database and content if one sup is http and the other is https?
For the database, I don’t think it will matter if one SUP is HTTPS and one is HTTP.
Should the update source on the additional WSUS be from the original WSUS server or from Microsoft Updates?
ConfigMgr will set this automatically for you. Ultimately it’s a shared DB that will look to MS updates.
I am still getting “Synchronizing replica WSUS servers” and “sync: Starting Replica WSUS synchronization” after configuring shared WSUS. I even removed the WSUS role and re-installed. After synchronizing software updates, the top level WSUS server is shown as an upstream server, replica in both WSUS servers. Any idea why?
Sorry for the delay, did you figure this one out?
What kind of bandwidth do you need available between remote servers for this to work correctly?
We’re looking at potentially switching to using one shared SQL database for our WSUS setup. Currently we have 1 SQL DB and 1 Upsteam WSUS server in Europe and 1 SQL DB and 1 Downstream WSUS server in Americas. This is integrated with SCCM of course.
Using iperf3 to test the connection speed between the downstream WSUS server and the European SQL server, it shows ~11.2 Mbits/sec. We have roughly 3500 clients (about 2200 in Europe/Asia which use the European servers and 1100 in Americas). Is this adequate or should I stick to separate DBs?
We just started to use PatchMyPC last year :-).
I think just testing it would be that way to go. Ideally you would want a very good connection between the WSUS frontend and the SQL server. I know I’m a bit late, but what did you end up finding out here?
First of all, thanks a lot for sharing knowledge by creating such wonderful content.
We are setting up new MECM Infra (CAS and two Primary Sites) to support around 175K endpoints across the US geo locations.
Based on the best practices recommended by MS we are thinking of setting up Shared WSUS DB for about 7-8 SUPs in our new architecture.
I have the following questions:
1) We are setting up a remote site system server for CAS SQL Site DB with 16 CPU cores and 96GB or Physical Memory. Do you recommend to use the same server for the Shared WSUS DB? If yes, do you think we might have to bump up either the CPU cores or RAM?
2) Do all SUPs need the internet connectivity for the catalog synchronization?
3) Will all WSUS servers share the Content location as well?
Thanks in Advance!
Thanks so much for these videos. I’ve just implemented our passive site server from your other videos. Will there be any issues moving the wsus db to a SQL cluster or AG, and then sharing it out to all sups? Thanks in advance. Cheers