You must prepare ConfigMgr and your Windows
infrastructure for the Software Updates functionality. Although it is
relatively straightforward to install and configure, you must make
several decisions along the way and be patient, because the initial
synchronization process can take some time to complete. Preparation
tasks include the following:
Installing WSUS
Adding software update points
Preparing for synchronization
Configuring the agents
Establishing group policies
The following sections discuss these areas.
1. Software Updates Prerequisites
WSUS
is the only real prerequisite to enable Software Updates in ConfigMgr.
Download WSUS and (as a minimum) install the WSUS Software Development
Kit (SDK) on the primary site server; you do this by installing the
WSUS administrator console. You must also install the WSUS server
component on either the primary site server or another accessible
server that meets the requirements for WSUS, as listed at http://technet.microsoft.com/en-us/wsus/bb466188.aspx:
Microsoft
Windows Server 2008 (Standard or Enterprise Edition), or Microsoft
Windows Server 2003 (Standard or Enterprise Edition), or Microsoft
Windows 2000 Server or Advanced Server with Service Pack 4 (SP 4) or
later
1GB or more RAM
1GHz Pentium III or higher processor
Microsoft .NET Framework 1.1 SP 1
Microsoft Background Intelligent Transfer Services (BITS) 2.0
Microsoft Internet Explorer 6 SP 1
Internet Information Services (IIS) 5.0 or later
WSUS
also requires a SQL Server database. Generally, you use the same SQL
Server installation for WSUS that you use for ConfigMgr. You can create
a separate SQL Server instance for ConfigMgr to allow for granular
resource control; however, this is not required as the instance of WSUS
does not manage any client data and requires very little overhead on
the database server, regardless of the size of the ConfigMgr
installation.
WSUS 3.0 Service Pack 1 is
required for ConfigMgr 2007 Service Pack 1 and Release 2 (R2) for
installation on Windows Server 2008. Both 64-bit and 32-bit versions of
WSUS are available.
Microsoft
recommends installing WSUS on a dedicated server for larger sites. Each
WSUS instance can handle up to 25,000 clients; for sites that are
larger, you should deploy a Network Load Balanced (NLB) cluster to
scale out the capacity of WSUS. Every ConfigMgr primary site must have
a separate WSUS instance; this instance is optional for secondary sites
to offload work and network traffic from the primary site WSUS server.
WSUS installation is straightforward and wizard driven, with the following guidance:
Choose to store updates locally on the system rather than Microsoft Update, as shown in Figure 1.
This setting allows WSUS to download and store license terms for
specific software updates in the update content folder that you choose;
ConfigMgr handles the actual download and deployment of updates. During
the update synchronization process, ConfigMgr looks for applicable
license terms in the content folder. If it cannot find the license
terms, it will not synchronize the update. Additionally, clients must
also have access to the applicable license terms in order to scan for
update compliance.
If
using a dedicated system for WSUS, use the default website to host
WSUS. If you are hosting any other ConfigMgr roles on the system,
create a dedicated IIS site; although this is not necessarily a
standard best practice and not a technical requirement, it is the
opinion of the authors that a dedicated site keeps things nice and tidy
and prevents any confusion over which site handles the WSUS
responsibilities. The port numbers for a dedicated site are 8530 and
8531 for Secure Socket Layer (SSL) connections. Figure 2 displays these options.
Click
Cancel to skip the Configuration Wizard that launches at the end of
installation. WSUS does not require manual configuration because
ConfigMgr 2007 takes over the control and configuration of WSUS once
you install a software update point (SUP).
You
may use an existing WSUS server installation as an SUP for ConfigMgr;
however, you should first delete the update catalog and associated
metadata from WSUS to reset WSUS back to a clean state, thus allowing
ConfigMgr to properly manage and control it. In addition, because
ConfigMgr takes complete control over the WSUS configuration, do not
configure any clients not managed by ConfigMgr to use this WSUS
installation, as this is not a supported configuration.
