Because the highest level active software update point for a Configuration Manager site hierarchy must synchronize with Microsoft Update, it can be a little difficult to get this working in non-Internet connected sites. This post explains how to get the latest software updates scan metadata imported into the site database to enable software updates functionality for non-Internet connected Configuration Manager sites and site hierarchies.
This process is already documented in the Configuration Manager documentation library, but I figured that I'd blog the steps that I took as another resource for you. You should probably check out the 'official' version first: How to Synchronize Updates Using Export and Import at: http://technet.microsoft.com/en-us/library/bb680473.aspx .
Note: I'm using WSUS 3.0 SP1 because SP1 is required for Configuration Manager 2007 SP1 sites.
To get started, you'll need to have the x86 version of WSUS 3.0 SP1 (WSUSSetup_30SP1_x86.exe) installed on a computer that has Internet access. This is because the tool used to export and import the metadata only works on the x86 version. Clients don't need to connect to this computer and it can even be a VM. We just need to get the WSUS catalog synchronized with Microsoft Update so we can transfer the scan metadata back to the SUP in the non-Internet connected site. WSUS installation is fairly straightforward so I won't go into it in much detail here. Just be sure that you install both WSUS and the administration console and configure the WSUS Server to store updates locally (we won't actually download any updates on this server, but the update EULAs need to be stored locally in the WsusContent directory so we can transfer them later).
If you don't already have it/haven't installed it yet, to get WSUS 3.0 SP1, head to the Windows Server Update Services 3.0 SP1 download page at: http://www.microsoft.com/downloads/details.aspx?FamilyId=F87B4C5E-4161-48AF-9FF8-A96993C688DF&displaylang=en.
Tip: You don't need to install WSUS 3.0 before installing SP1. Just run the SP1 install and you'll have everything you need.
For the WSUS installation that will synchronize with Microsoft Update, you'll need to install both WSUS and the administration console. For the WSUS installation that will be co-located with the non-Internet connected software update point (if it's not on the site server computer), you only need to install WSUS. The WSUS administration console bits need to be installed on the non-Internet connected site server so we can configure the WSUS settings, but that's a standard software update point prerequisite so I'm guessing you already knew that. If you didn't, the prerequisites for Configuration Manager software update point installation are located in this topic Prerequisites for Software Updates at: http://technet.microsoft.com/en-us/library/bb680712.aspx .
I'm going to break down the following steps and call the WSUS Server installation connected to the Internet the WSUS export server and the WSUS installation supporting the software update point site system for the non-Internet connected site the WSUS import server.
On the WSUS export server:
Install WSUS 3.0 SP1 (WSUS and administration console), open the administration console, click Options
, and start the WSUS Server Configuration Wizard
. Most of the pages are fairly straightforward, but here they are as well as some things to keep in mind while configuring the WSUS installation:
- Decide if you'll participate in the Microsoft Update Improvement Program.
- Choose and upstream server to synchronize updates from (you'll want to synchronize with Microsoft Updates).
- Configure a proxy server if necessary.
- On the Connect to Upstream Server page, click Start Connecting. This downloads the types of updates available, the products that can be updated and available languages. This is going to take a couple of minutes.
- On the Choose Languages page, select the languages that you want to download updates for and click Next (it probably doesn't matter what is selected here as we won't use WSUS to download the updates anyway).
- On the Choose Products page, select the products that you want to synchronize updates for with Microsoft Update. These should be the products that you want to be able to patch your clients for in the non-Internet connected site later (ie Exchange Server 2007, Forefront Client Security, Windows Server 2008, etc…).
- On the Choose Classifications page, select the update classifications that you want to synchronize with Microsoft Update. Once again, these should be the classifications that you want to be able to patch your clients for in the non-Internet connected site later (ie Critical Updates, Security Updates, Updates, etc…).
- On the Configure Sync Schedule page, select a sync schedule option. You can either synchronize on a schedule or manually.
- On the Finished page, select the Begin initial synchronization option. Click Next and then Finish to begin synchronization. Some quick notes about this process:
- Grab a Snickers® it's going to be a while before the initial synchronization completes. I found it to be somewhere between around 1.5 to 2 hours.
- The WSUS database file sizes will increase during this process. The initial database files were 20.1MB and 2 MB for the SUSDB.mdf and SUSDB_log.ldf database files respectively. After synchronization, the database file sizes were 710MB and 61.9MB.
Verify the WSUS installation has completed synchronizing successfully by watching the SoftwareDistribution.log log file (%Program Files%\Update Services\LogFiles\) or you can also check the Synchronizations node of the WSUS administration console.
Next, you need to export software update metadata using the wsusutil.exe utility.
- Open a command prompt and navigate to the %Program Files%\Update Services\Tools directory.
- Run the following command to export the software updates scan metadata:
wsusutil export <drive letter>:\export.cab <drive letter>:\export.xml. You don't need to name them export.<extension>, it's just something that I do. You can name them whatever you want, but ensure that you save the export as a .cab. I also save the log file as an .xml because it makes it easier to read later.
- This takes about 15 minutes or so. In my little lab installation, the exported files were around 8MB for the export.cab and around 4MB for the export.xml. You won't see much interesting going on, but your command prompt should now display:
Updates are being exported. Please do not stop this program.
When it is finished, you'll see this message in the command prompt window: All updates are successfully exported.
On the WSUS import server:
- After the metadata export has completed, find some way to copy the export files to WSUS installation that is going to host the software update point for the non-Internet connected site. By this point I'm assuming you already have WSUS 3.0 SP1 and a software update point site system configured for the site. If so, skip to 3, if not go to 2 J
If you're installing WSUS on a soon-to-be software update point site system computer that is not on the site server, you need to install WSUS (no admin console) on the software update point computer and the administration console on the site server computer. However, if you're installing WSUS on the site server computer, you'll need to install the full installation including the Administration Console. If you do need to install the console, do just that—install it, but don't configure it. During installation when the Console Configuration wizard starts—click Cancel. When installing WSUS, take note of these settings:
- Do not synchronize from Microsoft Update and do not create WSUS reporting events.
- Do not schedule synchronization (we'll do it manually).
- Don't worry about the classifications and products settings (you can only configure those if you're sync'ing with Microsoft Update, so we'll handle what metadata we get from the online WSUS Server export files.
- Select the languages that you want to download (probably doesn't matter because we'll have to manually download these later).
- Finish the WSUS installation wizard.
- Install a software update point site system role on the newly installed WSUS Server and review SUP setup logs to ensure it is installed and WSUS is configured successfully: SUPSetup.log and WSUSCtrl.log log files in the ConfigMgr logs directory.
- Navigate to the Software Updates node in the Configuration Manager console. Refresh the software updates feature home page and you shouldn't see any software updates information.
Copy the WsusContent directory contents from the export server to the import server's WsusContent directory (C:\WSUS\WsusContent by default).
Import software update metadata using the wsusutil.exe utility so that software updates home page won't be so boring.
- Open a command prompt and navigate to the %Program Files%\Update Services\Tools directory.
- Run the following command to import the software updates scan metadata:
wsusutil import <path>\export.cab <path>\import.xml. Of course, you'll need to know where you copied the .cab file that was exported from the WSUS export server at this point.
- The import process takes about 15 minutes or so. You still won't see much interesting going on, but during the import process your command prompt should display the following until the import process has completed:
Updates are being imported. Please do not stop this program.
When it is finished, you'll see this message in the command prompt window: All updates are successfully imported.
- After the import process completes, go back to the Configuration Manager console, expand Software Updates, right-click Update Repository and select Run Synchronization. Some notes about this process:
- Grab another Snickers® it's going to be a while again. This is the point where the WSUS software update metadata information is being imported into the site database. To view the progress of the import process, you can watch the wsyncmgr.log log file. This log file tells you how many updates (metadata) were imported and even how long it took—this process took 3 hours and 19 minutes in my lab!
- Another disk space consideration: my lab's site database was 223MB before synchronizing metadata. After synchronizing the updates that were exported from the WSUS export server (remember the 8MB export.cab file?), the site database was 891MB!
Refresh Update Repository and Viola! the updates are listed according to the WSUS metadata settings you configured on the WSUS export server for products (ie Exchange Server 2007, Forefront Client Security, Windows Server 2008, etc…) and categories (ie Critical Updates, Security Updates, Updates, etc…) earlier.
Of course, none of those updates display as required by clients until you have clients, with the software updates client agent enabled, complete the software update scan cycle, but that's another post J