Appendix C: Configure WSUS for Network Load Balancing
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server Update Services
Network load balancing (NLB) is a strategy that can keep networks running even if one (or more) servers go offline. It can be used in conjunction with WSUS, but requires special steps at setup time.
You should set up WSUS for NLB after configuring your SQL Server 2005 database as a failover cluster. For more information about how to set up SQL Server 2005 as a failover cluster, see How to: Create a New SQL Server 2005 Failover Cluster at https://go.microsoft.com/fwlink/?LinkId=76490. However, you should set up WSUS before configuring the NLB cluster. For more information about how to set up an NLB cluster, see Network Load Balancing Clusters at https://go.microsoft.com/fwlink/?LinkId=76491.
Note
None of the servers taking part in the cluster should be a front-end domain controller.
Important
The maximum number of front-end WSUS servers per database instance is four.
Step 1: Configure remote SQL
You should configure WSUS for remote SQL according to the procedure given in Appendix B: Configure Remote SQL earlier in this guide.
When you have finished this step, you will have the back-end SQL machine set up, as well as one of the front-end WSUS server machines. In the next step you will set up the other front-end WSUS servers.
Step 2: Set up the other front-end WSUS servers
In this step you will install WSUS on the other front-end WSUS servers without creating the database.
To install WSUS on the front-end computer
At the command prompt, navigate to the folder containing the WSUS Setup program, and type:
WSUSSetup.exe /q FRONTEND_SETUP=1 SQLINSTANCE_NAME=server\instance CREATE_DATABASE=0
You will see the Welcome page of the installation wizard. Continue installing WSUS as in the procedure given in Run WSUS 3.0 Server Setup.
Note
If you are using the default SQL instance, leave the instance name blank. For example, if you are using the default instance on a server named MySQLServer, SQLINSTANCE_NAME should be MySQLServer.
Step 3: Configure the front-end WSUS servers
All the front-end WSUS servers should use a proxy server and should authenticate by means of the same user name and password. You can configure this in the WSUS administration console.
To configure the proxy server on WSUS front-end servers
In the WSUS administration console, select Options, then Update Source and Proxy Server.
Select the Proxy Server tab, then enter the proxy server name, port, user name, domain, and password, then click OK.
Repeat this procedure on all the front-end WSUS servers.
Step 4: Set up a DFS share
You should create a single file location that is available to all the front-end WSUS servers. Even if you do not store updates locally, you will need a location for End User License Agreement files. You may wish to do so by storing them on a Distributed File System share.
Note
It is not necessary to use a DFS share with an NLB cluster. You can use a standard network share, and you can ensure redundancy by storing updates on a RAID controller.
This step explains how to set up DFS on one of the servers in your cluster on a Windows Server 2003 server.
To set up a DFS share
Go to Start, point at All Programs, point at Administrative Tools, and click Distributed File System.
You will see the Distributed File System management console. Right-click the Distributed File System node in the left pane and click New Root in the shortcut menu.
You will see the New Root Wizard. Click Next.
In the Root Type screen, select Stand-alone root as the type of root, and click Next.
In the Host Server screen, type the name of the host server for the DFS root or search for it with Browse, and then click Next.
In the Root Name screen, type the name of the DFS root, and then click Next.
In the Root Share screen, select the folder that will serve as the share, or create a new one. Click Next.
In the last screen of the wizard, review your selections before clicking Finish.
You will see an error message if the Distributed File System service has not yet been started on the server. You can start it at this time.
Make sure that the domain account of each of the front-end WSUS servers has change permissions on the root folder of this share. That is, if there is a WSUS server installed locally on the computer that has the DFS share, the Network Service account should have change permissions on the root folder. In addition, the user account of the administrator who will run the movecontent command (in Step 5) should also have change permissions. For each of the remote WSUS servers, the domain/computer account (where domain is the name of the domain and computer is the name of the computer) should have change permissions on the root folder of the share.
After you install a WSUS update, verify the NTFS permissions on the WSUSContent folder. The NTFS permissions on the WSUSContent folder may be reset to the default values by the installer.
Note
For more information about setting permissions on DFS shares, see KB 308568, "How To Set File Permissions for Shares in DFS Replica Sets to Apply to All Replicas" (https://go.microsoft.com/fwlink/?LinkId=86550).
Step 5: Configure IIS on the front-end WSUS servers
In order to access the updates on the DFS share, the front-end WSUS servers must have IIS configured to allow remote access.
To configure IIS for remote access on the front-end WSUS servers
On each of the servers, go to Start, point at All Programs, point at Administrative Tools, and click Internet Information Services (IIS) Manager.
You will see the Internet Information Services (IIS) Manager management console.
Click the server node, then the Web Sites node, then the node for the WSUS Web site (either Default Web Site or WSUS Administration).
Right-click the Content node and select Properties.
In the Content Properties dialog box, click the Virtual Directory tab. In the top frame you will see The content for this resource should come from:
Select A share located on another computer and fill in the UNC name of the share.
Click Connect As, and enter the user name and password that can be used to access that share.
Be sure to follow these steps for each of the front-end WSUS servers that are not on the same machine as the DFS share.
Step 6: Move the local content directory on the first front-end WSUS server to the DFS share
Now it is possible to move the content directories on the first front-end WSUS server to the DFS share. This is the first WSUS front-end server you set up in Step 1. You will not have to move the local content directory on the front-end servers you set up in Step 2.
To move the content directories on the front-end WSUS servers
Open a command window.
Go to the WSUS tools directory on the WSUS server:
cd \Program Files\Update Services\Tools
Type the following command:
wsusutil movecontent DFSsharename logfilename
where *DFSsharename* is the name of the DFS share to which the content should be moved, and *logfilename* is the name of the log file.
Step 7: Configure the NLB
See Network Load Balancing Clusters at https://go.microsoft.com/fwlink/?LinkId=76491 for more information about this topic.
To configure Network Load Balancing
Enable Network Load Balancing:
Click Start, then Control Panel, Network Connections, Local Area Connection, and click Properties.
Under This connection uses the following items, you may see an entry for Network Load Balancing. If you do not, click Install, then (on the Select Network Component Type screen) select Service, then click Add, then (on the Select Network Service screen) select Network Load Balancing, then OK.
On the Local Area Connection Properties screen, select Network Load Balancing, and then click OK.
On the Local Area Connection Properties screen, select Network Load Balancing, and then click Properties.
On the Cluster Parameters tab, fill in the relevant information (the virtual IP address to be shared among the front end computers, and the subnet mask). Under Cluster operation mode, select Unicast.
On the Host Parameters tab, make sure that the unique host identifier is different for each member of the cluster.
On the Port Rules tab, make sure that there is a port rule specifying single affinity (the default). (Affinity is the term used to define how client requests are to be directed. Single affinity means that requests from the same client will always be directed to the same cluster host.)
Click OK, and return to the Local Area Connection Properties screen.
Select Internet Protocol (TCP/IP) and click Properties, and then click Advanced.
On the IP Settings tab, under IP addresses, add the virtual IP of the cluster (so that there will be two IP addresses). This should be done on each cluster member.
On the DNS tab, clear the Register this connection's addresses in DNS checkbox. Make sure that there is no DNS entry for the IP address.
Step 8: Test the WSUS NLB configuration
You should first make sure that at least one of the WSUS front-end servers can perform an initial synchronization. If the synchronization is successful, continue to the next step. Otherwise, review the WSUS setup and NLB cluster setup.
Step 9: Configure WSUS clients to sync from the DFS share
Instructions for configuring WSUS client machines are given in Update and Configure the Automatic Updates Client. However, in the case of WSUS on NLB clusters, you should specify the virtual address of the NLB cluster rather than one of the individual servers. For example, if you are setting up your clients with a Group Policy object or Local Group Policy object, the setting for the Specify intranet Microsoft update service location setting should be the virtual Web address.
Important
If you are using a DFS share, be careful when uninstalling WSUS from one but not all of the front-end servers. If you allow the WSUS content directory to be deleted, this will affect all the WSUS front-end servers.
Upgrading NLB
Note
Check to see if you have followed all the steps mentioned above to configure WSUS for NLB.If the steps have not been followed then reconfigure the WSUS for NLB following all the above mentioned steps.
To upgrade NLB on all machines
Shut down the NLB service. At the command prompt type nlb.exe suspend.
Shut down IIS and the WSUS service. At the command prompt type iisreset/stop and then net stop wsusservice.
Ensure no other services are able to access the database during the upgrade window. At the command prompt type nlb.exe disable.
Back up your database.
On your machine hosting the database, click Start, and then click Run.
In the Open box, type %systemdrive%\%windir%\system32\ntbackup.exe and then click OK.
In the Backup or Restore Wizard, click Next.
Verify that Backup files and settings is selected, and then click Next.
Click Let me choose what to back up, and then click Next.
Under the location where your database files are stored, click the Data and LOG folders, and then click Next.
Use the Browse button to choose a place to save your backup, type a name for the backup, and then click Next.
If you want to set additional specifications for your backup, including whether it will be an incremental backup and whether you want to verify the backup, set a recurring schedule for the backup, or other options, click Advanced, and then follow the prompts that appear in the wizard.
When the wizard is finished, click Finish.
When the message appears that informs you that the backup is complete, click Close.
Upgrade each frontend machine individually.
Set up WSUS. At the command prompt type Wsussetup.exe/q/g.
Review the setup log to verify the upgrade was successful. At the command prompt type Wsussetup.log
Ensure that IIS and the WSUS service are stopped. At the command prompt type iisreset/stop and then net stop wsusservice.
Proceed to the next machine.
Start IIS and the WSUS service. Click the Start button, point to Administrative tools, click Services, and then click the service you want to start.
Start the NLB service. At the command prompt, type nlb.exe resume.