Discussion:
WSUS and Disconnected Networks
(too old to reply)
JK
2008-04-11 17:58:00 UTC
Permalink
Here is an overview of how I use the system.
I have an export server which I use to download updates, approve and decline
updates, the run the server cleanup wizard. I then export the patches and
database to use on an offline WSUS server.

The patches and database are then imported into the import (disconnected)
WSUS server. The approval/declined status does not follow so I have to
declined and approve the updates again. What I am trying to do it decline
anything that is superseded and then I approve everything else. What happens
is that WSUS downloads get stuck at a certain percentage and the Windows
event log states that the update file does not exist at the proper location.
WSUS does not continue on trying to download the next update. WSUS thinks it
needs to download 11GB's when only 4GB's should exist.

What I would like to know is:
Is there a way to keep the declined and approval status for updates to avoid
this problem?

Is there some way to make WSUS continue on with these updates?

I am sure there aren't many who are using WSUS in a disconnected fashion,
but any help would be great!
Lawrence Garvin [MVP]
2008-04-11 23:31:15 UTC
Permalink
Post by JK
Here is an overview of how I use the system.
I have an export server which I use to download updates, approve and decline
updates, the run the server cleanup wizard. I then export the patches and
database to use on an offline WSUS server.
The patches and database are then imported into the import (disconnected)
WSUS server. The approval/declined status does not follow so I have to
declined and approve the updates again. What I am trying to do it decline
anything that is superseded and then I approve everything else. What happens
is that WSUS downloads get stuck at a certain percentage and the Windows
event log states that the update file does not exist at the proper location.
WSUS does not continue on trying to download the next update. WSUS thinks it
needs to download 11GB's when only 4GB's should exist.
Is there a way to keep the declined and approval status for updates to avoid
this problem?
Try changing your disconnected server to a =replica= server, which will then
force it to synchronize approvals from the upstream metadata also.
Post by JK
I am sure there aren't many who are using WSUS in a disconnected fashion,
Actually.. you'd be surprised.
--
Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
JK
2008-04-14 12:29:03 UTC
Permalink
Will it try to force it to synchronize approvals from the upstream metadata
even if it is disconnected?

Thanks
Lawrence Garvin [MVP]
2008-04-14 17:00:24 UTC
Permalink
Post by JK
Will it try to force it to synchronize approvals from the upstream metadata
even if it is disconnected?
Thanks
Only if you *incorrectly* configure automated synchronizations,
or *incorrectly* initiate a manual synchronization.
--
Lawrence Garvin, M.S., MCBMSP, MCTS, MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
JK
2008-04-14 17:20:01 UTC
Permalink
I tried the replica suggestion but everything just shows as not approved.

In Update Source, I have tried setting it to Microsoft, even though it is
offline, synchornize with itself, and being a replica of an upstream server
with no luck.

What do you mean by an incorrect manual synchronization?

I would have thought all I have to do is export and then import and it
should work. Do I need a special configuration on the import server?

Thanks
Lawrence Garvin [MVP]
2008-04-14 17:57:34 UTC
Permalink
Post by JK
I tried the replica suggestion but everything just shows as not approved.
Hmmm.... I'll check with the WSUS devs tomorrow (I'm @ Microsoft this week);
perhaps I am incorrect in this expectation.
Post by JK
In Update Source, I have tried setting it to Microsoft, even though it is
offline, synchornize with itself, and being a replica of an upstream server
with no luck.
What do you mean by an incorrect manual synchronization?
I mean, simply, that a disconnected server should *NEVER* have a
"synchronization" event run on it. All "synchronization" requirements are
met as a result of the filesystem restore and the metadata import. But if
you do run a synchronization, and the disconnected server is actually
'connected' -- then the synchronization will likely succeed. If the
disconnected server is truly disconnected, then you'll just get a
synchronization failure message in the logs.
Post by JK
I would have thought all I have to do is export and then import and it
should work.
Exactly -- notwithstanding performing those steps in the correct order...
(export; backup; restore; import),
after ensuring that the connected server is not executing a
synchronization event,
and is not downloading any content.

If the connected server is still downloading content, then you'll get
metadata in your export for which you do not have content in your backup,
and as soon as you mark that update as "approved" on the disconnected
server, it's going to try to download the missing content.
Post by JK
Do I need a special configuration on the import server?
No.
--
Lawrence Garvin, M.S., MCBMSP, MCTS, MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
JK
2008-04-14 18:26:01 UTC
Permalink
Post by Lawrence Garvin [MVP]
If the connected server is still downloading content, then you'll get
metadata in your export for which you do not have content in your backup,
and as soon as you mark that update as "approved" on the disconnected
server, it's going to try to download the missing content.
This is where I believe the problem lies. I have metadata but no content,
but because I declined it on the export server, I would have thought there
should be no content, but the metadata knows about the patches, just not the
approval/declined status.

I approve and decline updates. The updates download, verified in the
download status window, I use ntbackup to backup the data, export metadata
using WSUSutil.

I then, use ntbackup to restore the content, import the metadata, approve
ALL updates, even the ones I know are missing, and it says it need to
download 50GB or whatever the amount is. I would think it would not find the
content and error within WSUS, thus allowing me to decline the updates with
missing content.

Am I supposed to decline and approve the exact same patches on the import
server? This could be very tedious.
Lawrence Garvin [MVP]
2008-04-15 04:17:41 UTC
Permalink
Post by JK
Post by Lawrence Garvin [MVP]
If the connected server is still downloading content, then you'll get
metadata in your export for which you do not have content in your backup,
and as soon as you mark that update as "approved" on the disconnected
server, it's going to try to download the missing content.
This is where I believe the problem lies. I have metadata but no content,
but because I declined it on the export server, I would have thought there
should be no content, but the metadata knows about the patches, just not the
approval/declined status.
This would be an issue if also, after declining the update on the connected
server, you also ran the Server Cleanup Wizard, and purged the declined
content.
Post by JK
approve ALL updates, even the ones I know are missing,
*THIS* is your problem!!! Why would you approve updates on the disconnected
server for updates that you KNOW ARE MISSING?

Where do you expect the disconnected server to get this content from?

Furthermore.. why would you approve ALL updates anyway? Certainly you don't
need ALL updates to be installed on client systems!?
Post by JK
and it says it need to download 50GB or whatever the amount is.
Yep... that would be the 50GB of updates you just approved that you knew
didn't have content on the connected server.
Post by JK
I would think it would not find the
content and error within WSUS, thus allowing me to decline the updates with
missing content.
Well.. it doesn't. You approve the update; it tries to download the missing
content.
Post by JK
Am I supposed to decline and approve the exact same patches on the import
server? This could be very tedious.
You're supposed to approve updates on the disconnected server that have only
been approved on the connected server, yes.
--
Lawrence Garvin, M.S., MCBMSP, MCTS, MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
JK
2008-04-15 13:17:00 UTC
Permalink
So, I am supposed to provide the administrator at the disconnected system
with a list of what has been approved and declined every time the metadata is
exported and imported? And they are supposed to go through 1000+ patches and
approve/decline every time, for each patch? I would think that WSUS would
just skip the content that is missing, and move onto the next patch. Then I
could decline patches that are missing. Or not export the patch information
that has been declined, or keep the approval/declined status.

It's almost like I need a way to remove declined patches from the metadata
before I export. I view this as a serious design flaw if this is the true way
this is supposed to function.
Post by Lawrence Garvin [MVP]
Post by JK
Post by Lawrence Garvin [MVP]
If the connected server is still downloading content, then you'll get
metadata in your export for which you do not have content in your backup,
and as soon as you mark that update as "approved" on the disconnected
server, it's going to try to download the missing content.
This is where I believe the problem lies. I have metadata but no content,
but because I declined it on the export server, I would have thought there
should be no content, but the metadata knows about the patches, just not the
approval/declined status.
This would be an issue if also, after declining the update on the connected
server, you also ran the Server Cleanup Wizard, and purged the declined
content.
Post by JK
approve ALL updates, even the ones I know are missing,
*THIS* is your problem!!! Why would you approve updates on the disconnected
server for updates that you KNOW ARE MISSING?
Where do you expect the disconnected server to get this content from?
Furthermore.. why would you approve ALL updates anyway? Certainly you don't
need ALL updates to be installed on client systems!?
Post by JK
and it says it need to download 50GB or whatever the amount is.
Yep... that would be the 50GB of updates you just approved that you knew
didn't have content on the connected server.
Post by JK
I would think it would not find the
content and error within WSUS, thus allowing me to decline the updates with
missing content.
Well.. it doesn't. You approve the update; it tries to download the missing
content.
Post by JK
Am I supposed to decline and approve the exact same patches on the import
server? This could be very tedious.
You're supposed to approve updates on the disconnected server that have only
been approved on the connected server, yes.
--
Lawrence Garvin, M.S., MCBMSP, MCTS, MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Harry Johnston [MVP]
2008-04-16 18:13:31 UTC
Permalink
Post by JK
So, I am supposed to provide the administrator at the disconnected system
with a list of what has been approved and declined every time the metadata is
exported and imported? And they are supposed to go through 1000+ patches and
approve/decline every time, for each patch?
I believe they should only need to deal with the new patches each time, which
would probably be manageable - except for the first time, of course.

The methodology which might be preferable is to approve (on the disconnected
server) only those patches which are detected as needed. You can do this easily
by filtering the view for unapproved/needed. Since this should be a short list,
it shouldn't be too hard to pick out the superseded updates if any.

You would still need to provide a list of those updates which you deliberately
chose to decline despite their being needed. This would normally be a short list.

The only major hassle I can see would be in the scenario where the machines on
the disconnected network are badly out of date and there are lots of superseded
updates detecting as needed. However it should still be manageable, if they
start with the most recent updates and approve a dozen or so each day.
Post by JK
I would think that WSUS would
just skip the content that is missing, and move onto the next patch. Then I
could decline patches that are missing. Or not export the patch information
that has been declined, or keep the approval/declined status.
Remember that the disconnected server doesn't know that it is disconnected.
Granted, this functionality could be improved upon, but I suspect it isn't
particularly high on Microsoft's priority list, given the (presumably)
relatively few number of sites using it.

I don't know whether SMS or any third-party solutions provide for the
disconnected network scenario; if so, I'd expect them to provide more convenient
mechanisms.

Harry.
JK
2008-04-16 18:23:00 UTC
Permalink
I contacted Microsoft and they provided me with a link to some tools:

The tool for exporting approvals and documentation are located at the
following links:

Documentation for WSUS API Samples and Tools (there are several features,
one is exporting / importing approvals)
http://download.microsoft.com/download/c/d/a/cdaa6a86-499f-4466-97f6-f269f1dc88c0/Windows%20Server%20Update%20Services%20API%20Samples%20Readme.mht

The tool is at the following location:
http://download.microsoft.com/download/5/d/c/5dc98401-bb01-44e7-8533-3e79ae0e0f97/Update%20Services%203.0%20API%20Samples%20and%20Tools.EXE


I will test and return with the results!
JK
2008-04-17 11:43:00 UTC
Permalink
Testing is successful!

Continue reading on narkive:
Loading...