WSUS部署实验 Part5之 Project WSUS Overview

1. Overview of WSUS Setup
WSUS Simple Overview
The most basic WSUS deployment consists of a server inside the corporate firewall that serves client computers on a private intranet 
 
 
WSUS server hierarchies
Autonomous mode: An upstream WSUS server shares updates with its downstream server or servers during synchronization, but not update approval status or computer group information. Downstream WSUS servers must be administered separately.
 
Replica mode: An upstream WSUS server shares updates, approval status, and computer groups with its downstream server or servers. Downstream replica servers inherit update approvals and cannot be administered apart from their upstream WSUS server.
 
 
Upstream & downstream with replica mode
Centralized management
HK as upstream management server
Other countries to run replica servers
Replica servers are not administered separately
used only to distribute approvals, groups, and updates
approvals and targeting groups created on the Upstream server are replicated throughout the entire organization
 
Branch offices
low-bandwidth connections to the central office
high-bandwidth connections to the Internet
downstream WSUS servers to get information about which updates to install from the central WSUS server
but download the updates themselves from Microsoft Update
 
2. Workflow
Normal Patch Management process:
1) On normal "Patch Tues" (second Tuesday of each month), person-in-charge (we are currently rotating it between SGP, TWN & KOR) will go through the new Windows critical patches and approve them to the Test group for each country. [Test group contain ITS machines]
2) An email will be sent out to inform Hub managers about the new patches and to get feedback as well if any.
3) After 1 week, if there is no feedback on any problem, the patches will then be released to the Pilot groups for each country. [Pilot group contain selected users' machines of different stream/division]
4) Another email will be sent to inform about this release to pilot group.
5) The new patches will then be released to all (Main groups) if there is no feedback the following week. [Main group contain all other machines
 

"Out of normal/band" Patch Management process:
1) If there is any "out of band/normal" patches within the month, person-in-charge (we are currently rotating it between SGP, TWN & KOR) will go through these patches and approve them to only Test group. [Test group contain ITS machines]
3) After 3 days, if there is no feedback on any problem, the patches will then released to all (Pilot and Main groups). [Main group contain all other machines]
 
3. Demo on Patch Approval (Done by Upstream server Admins)
 
 
 
4. Downstream servers Admin Guide
Simple overview on console

Moving clients to respective group
Go to Unassigned Computers group
 
Right-click and select Change Membership…
 
Check the group/ groups you want the computer to be part of
 
Recommended to check Unassigned Computers group weekly for new machines.

Run Server Cleanup Wizard
On every end of the month, run this wizard to remove old updates and computers that are no longer reporting. This is found in the WSUS Console under Options.
 
Select All checkboxes and click Next. The cleanup would be completed in a few minutes.
 
Generating reports
Reports can be generated under the REPORTS menu. We will use Update Tabular Status as example here
 
Select the Report Options as required
Since we are only patching Critical & Security Updates for Windows XP only, that is what we will select the report to run.
Here we have selected only Singapore groups as example
 
All the updates shows on the left while its deployment status are shown on its right
Sort by Failed status to see which has the highest fail count
Click on the Update Title to see the machines that failed the deployment and troubleshoot from there.
Where necessary, manually install the Updates.
 
Generating reports by specific KB#
To know which PCs are fail/ok to deploy the KB#, Right-click on Updates view and select Search
 
Run a report for a specific PC
To know which KB# are fail/ok to deploy into the PC, Right-click on Computers and select Search
 
Checking the patch status from client PC
Patch status can be seen in Add/ Remove Programs from the client machines
Patch status can also be generated in EMS

Troubleshooting Guide
Clients not reporting to WSUS
Run clientdiag.exe
1. Access the following url from client
http://servername/iuident.cab <should prompt for file download>
http://servername/selfupdate/iuident.cab <should prompt for file download>
http://servername/clientwebservice/wusserverversion.xml <should be an xml page>
http://servername/simpleauthwebservice/simpleauth.asmx <should see two options on the webpage>

2. Location of log files for more detailed events
Server side: %programfiles%\Update Service\LogFiles
Client side: %windir%\windowsupdate.log

3. If client PCs has been moved or deleted from a group. It will not be removed or deleted from the Upstream. Running the Server Cleanup Wizard will remove them.
 

你可能感兴趣的:(职场,project,休闲,Overview,WSUS)