Deep Dive How to Configure a Shared WSUS Database for Multiple SUPs in SCCM

by | Feb 11, 2019 | SCCM Guides, Software Updates, Third-Party Updates, WSUS | 19 comments

Overview

In this video guide, we will be covering how to use a shared WSUS database for multiple software update points in SCCM. Using a shared WSUS Database is generally considered a best practice in well-connected scenarios since this offloads the vast majority of network impact if a client were to switch SUPs in SCCM.

Topics in Video

Review the SCCM docs and why a WSUS shared DB is usually a good idea – https://youtu.be/y7w7hBSHShc?t=42
Review why wsyncmgr syncs are faster when using shared WSUS database – https://youtu.be/y7w7hBSHShc?t=93
Review current labs primary SUP with SQL DB, and secondary SUP using WID – https://youtu.be/y7w7hBSHShc?t=175
Enable Debug and Verbose logging to wsyncmgr.log and wcm.log – https://youtu.be/y7w7hBSHShc?t=293
Review how the WSUS_Configuration_Manager tread reads all available SUPs at startup and how it determines if it’s using a shared WSUS database – https://youtu.be/y7w7hBSHShc?t=419
Review wsyncmgr.log for multiple SUPs in a non shared WSUS Database – https://youtu.be/y7w7hBSHShc?t=508
Remove WID WSUS role service and add SQL WSUS role service – https://youtu.be/y7w7hBSHShc?t=686
Configure SUP-2 to use SUP-1’s WSUSContent library folder for EULA/3rd-Party Update Content – https://youtu.be/y7w7hBSHShc?t=843
Run WSUSUTIL.exe postinstall to change WSUS to use the shared SQL Database and Shared WSUSContent folder – https://youtu.be/y7w7hBSHShc?t=1005
Resolve IIS misconfigurations after postinstall – https://youtu.be/y7w7hBSHShc?t=1215
- Add “\\” to the beginning of Physical path in IIS Content virtual directly
- Change Authentication for Anonymous Authentication to use WSUS Application Pool Identity instead of local IUSR account
Start WSUS_Configuration_Manager and validate it updates SUP-2 configuration in the active SUP list to be a shared WSUS database – https://youtu.be/y7w7hBSHShc?t=1505
Publish a third-party update to get a WSUS catalog change and run a SUP sync to review how the sync is now treated as a single SUP sync – https://youtu.be/y7w7hBSHShc?t=1637
Setup shared WSUS database in a new clean WSUS installation on a new SUP rather than converting an existing SUP to a shared WSUS database – https://youtu.be/y7w7hBSHShc?t=1744

Commands and Notes:

Powershell command to see WSUS installed role services: Get-WindowsFeature -Name UpdateServices*
Powershell command to remove WSUS WidDB: Remove-WindowsFeature -Name UpdateServices-WidDB
Powershell command to install WSUS SQL Database Connectivity: Install-WindowsFeature -Name UpdateServices-DB
WsusUtil command: WsusUtil.exe postinstall SQL_INSTANCE_NAME=”SCUP.CONTOSO.LOCAL” CONTENT_DIR=”\\SCCM3-DPMPSUP-1.CONTOSO.LOCAL\WSUS”
- SQL_INSTANCE_NAME and CONTENT_DIR should be changed to for your environment details

Helpful Resources:

Great blog post version of using a shared WSUS Database – https://blogs.technet.microsoft.com/configurationmgr/2016/10/12/how-to-implement-a-shared-susdb-for-configuration-manager-software-update-points/
Manually switch clients to a new software update point – https://docs.microsoft.com/en-us/sccm/sum/plan-design/plan-for-software-updates#BKMK_ManuallySwitchSUPs
Use a shared WSUS database for software update points (Installation Best Practices) – https://docs.microsoft.com/en-us/sccm/sum/plan-design/software-updates-best-practices#bkmk_shared-susdb
Managing WSUS from the Command Line – https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127395

19 Comments

Stewart W on January 15, 2020 at 10:05 AM

Hi Justin,

I’m really grateful for your video’s I have learned so much, however I have a question about the shared content folder.

Is locating the Shared content folder supported on a DFS share supported?

In a failure scenario it would be good not to need to recover the content folder as well as the SUSDB.

Thanks
Reply
- Justin Chalfant on April 2, 2020 at 7:54 AM
  
  I think it may be supported, but we have seen some issues with third-party updates (CAB) files sometimes deleting on DFS when multiple WSUS servers point to the same DFS share.
  Reply
Stefan V on May 13, 2020 at 6:56 AM

Hi Justin,

again a great video!

Is it possible to share the WSUS database in an untrusted domain scenario?
Example: SUP 1 = Domain 1; SUP 2 = Domain 2 (DMZ)

Thanks!
Reply
- Justin Chalfant on May 27, 2020 at 4:52 AM
  
  Yeah it is, you will need to use a connection account in the SUP site system.
  Reply
  - Roland on March 2, 2021 at 9:30 AM
    
    just wondering how that works, as this is still about WSUS so far, not yet the SUP.
    How can the 2nd WSUS connect to SQL in another domain without providing credentials?
    Similar with the share, isn’t it?
    Reply
    - Justin Chalfant on April 25, 2021 at 9:52 AM
      
      In the SUP, I believe you can provide a SQL connection account.
      Reply
      - Martin on November 15, 2021 at 9:49 AM
        
        I would also be very interested in the shared SUSDB configuration in an untrusted forest.
        I don’t see a way to add a SQL conneciton account during the installation of the WSUS feature. (prerequisite)
        The same with the share, which must be accessible during the WSUS setup. There is also no option for a connection account.
        Or did I miss something? Is there another installation method?
        Thanks for the help!
Mathieu on June 5, 2020 at 1:02 PM

About using ssl for SUP on both server. I am planning to use the following setup:
On the primary site, I will have a share for wsus (\\server1\wsus).
Two SUP pointing their contentDir on that share and using the same DB.
Both SUP should be configured to use ssl, will it cause problem when browsing to get the EULA? When I am trying to browse the content (the dummy file) using the port 8531 I have a certificate error.
Should I have the site server name in the SAN of the certificate?
Thank you!
Reply
Nagayya on September 9, 2020 at 11:27 PM

When e PR1 primary SUP and Sec1 Secondary site SUP hosted in remote place. can i restrict All clients from remote place to talk only to secondary site. will this work if i remove all the firewall connections which i have created to provide access to the remote clients to PR1 primary server ?
Reply
Cyndy on October 7, 2020 at 10:41 AM

Can you share the database and content if one sup is http and the other is https?
Reply
- Justin Chalfant on October 14, 2020 at 5:32 PM
  
  For the database, I don’t think it will matter if one SUP is HTTPS and one is HTTP.
  Reply
John Pine on October 29, 2020 at 8:37 AM

Should the update source on the additional WSUS be from the original WSUS server or from Microsoft Updates?
Reply
- Justin Chalfant on April 25, 2021 at 9:59 AM
  
  ConfigMgr will set this automatically for you. Ultimately it’s a shared DB that will look to MS updates.
  Reply
John P on December 21, 2020 at 9:52 AM

I am still getting “Synchronizing replica WSUS servers” and “sync: Starting Replica WSUS synchronization” after configuring shared WSUS. I even removed the WSUS role and re-installed. After synchronizing software updates, the top level WSUS server is shown as an upstream server, replica in both WSUS servers. Any idea why?

Thanks,
John
Reply
- Justin Chalfant on August 8, 2021 at 11:00 AM
  
  Sorry for the delay, did you figure this one out?
  Reply
Gordon on June 11, 2021 at 8:28 AM

What kind of bandwidth do you need available between remote servers for this to work correctly?

We’re looking at potentially switching to using one shared SQL database for our WSUS setup. Currently we have 1 SQL DB and 1 Upsteam WSUS server in Europe and 1 SQL DB and 1 Downstream WSUS server in Americas. This is integrated with SCCM of course.

Using iperf3 to test the connection speed between the downstream WSUS server and the European SQL server, it shows ~11.2 Mbits/sec. We have roughly 3500 clients (about 2200 in Europe/Asia which use the European servers and 1100 in Americas). Is this adequate or should I stick to separate DBs?

We just started to use PatchMyPC last year :-).
Reply
- Justin Chalfant on August 8, 2021 at 10:57 AM
  
  I think just testing it would be that way to go. Ideally you would want a very good connection between the WSUS frontend and the SQL server. I know I’m a bit late, but what did you end up finding out here?
  Reply
Manu21 on December 16, 2022 at 9:52 AM

Hey Justin,

First of all, thanks a lot for sharing knowledge by creating such wonderful content.

We are setting up new MECM Infra (CAS and two Primary Sites) to support around 175K endpoints across the US geo locations.
Based on the best practices recommended by MS we are thinking of setting up Shared WSUS DB for about 7-8 SUPs in our new architecture.

I have the following questions:

1) We are setting up a remote site system server for CAS SQL Site DB with 16 CPU cores and 96GB or Physical Memory. Do you recommend to use the same server for the Shared WSUS DB? If yes, do you think we might have to bump up either the CPU cores or RAM?

2) Do all SUPs need the internet connectivity for the catalog synchronization?

3) Will all WSUS servers share the Content location as well?

Thanks in Advance!
Regards
Reply
John on January 21, 2023 at 11:55 PM

Hi Justin,

Thanks so much for these videos. I’ve just implemented our passive site server from your other videos. Will there be any issues moving the wsus db to a SQL cluster or AG, and then sharing it out to all sups? Thanks in advance. Cheers
Reply