Friday, April 29, 2016

Migrating to ConfigMgr Current Branch - Moving SUP (WSUS) to server 2012 R2

Hey guys. This is the second post in the series "Migrating to ConfigMgr Current Branch". In my first post we talked about moving MP to a server 2012 R2 and in this post we will talk about moving SUP to server 2012 R2. I wanted to index all the posts in this series to make the navigation easy for you guys.. Here it is

Migrating to ConfigMgr Current Branch

1.Migrating to ConfigMgr Current Branch - Migrating MP to server 2012 R2

2.Migrating to ConfigMgr Current Branch - Moving SUP (WSUS) to server 2012 R2


 Lets get into this,  The ConfigMgr 2012 instance I support has 2 SUP role instance on 2 different servers. Both the WSUS instances on the SUP's shares same SQL DB which resides under ConfigMgr DB instance and WSUS shared Content share which is hosted in a file share. Since both of WSUS uses same DB & Content share, and I really cant touch the DB as it is prod instance, I had to take the below approach to complete this task.

(new server 2012 R2 servers will be called sup2012_1 and sup2012_2  from now on in this post)

  • Install WSUS with WID (Windows internal Database) in sup2012_1
  • Detach the WID DB from sup2012_1 and attach it with ConfigMgr SQL instance with name different than default SUSDB(In my case, I had that named as SUSDB_<SiteCode>)
  • Configure sup2012_1 to use attached sql database
  • Install WSUS in sup2012_2 and configure to use the same DB and Content share used by sup2012_1
  • Configure SUP role in both sup2012 servers and initiate WSUS sync.
  • Perform functionality and availability tests
  • remove SUP role from server 2008 R2
Lets see each phase in detail.

Install WSUS with WID (Windows Internal database) in sup2012_1

  • Login to the server sup2012_1 and make sure firewall is turned off or necessary firewall rules are created allowing siteserver and sup2012_1 to communicate
  • Add the computer account of site server as a local admin in sup2012_1
  • If you have additional drive to install ConfigMgr component and don't want SCCM to get installed in C drive, create NO_SMS_ON_DRIVE.SMS in the root of C drive, so that the drive will be untouched.
  • Create a Share folder in a file share for WSUS content and add provide full control for everyone. (\\FileServer\ShareFolder)
  • Open an elevated PowerShell Console and execute the below command to install WSUS and required IIS features
Install-WindowsFeature -Name UpdateServices -IncludeManagementTools
  • Once the command completed successfully (Ignore the warning message about post installation configuration) execute the below command to perform post installation configurations
 "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR="\\FileServer\ShareFolder"
  • After the post installation configurations are completed,  Launch IIS management console and navigate to Sites->WSUS Administration, right click on Content, select Manage Virtual directory and select Advance settings.
  • In the advance setting properties, Make sure Physical path starts with "\\", If not add as seen in the below screenshot


  •  Restart W3SVC and WSUS services
  • Launch WSUS administration console to make sure that the console launches without any error.(DO NOT CHANGE ANY CONFIGURATIONS THROUGH CONSOLE)

 Migrate from WID to Remote SQL (Server 2012 WSUS)

  • Download Microsoft ODBC Driver 11 for SQL Server and SQLCMD from the below links respectively.
https://www.microsoft.com/en-us/download/details.aspx?id=36434 
https://www.microsoft.com/en-us/download/details.aspx?id=36433
  • Install ODBC driver followed by SQLCMD in sup2012_1 server by following installation wizards 
  • stop W3SVC and WSUS services
  • open elevated command prompt and execute following commands to provision and detach WSUS DB from WID
sqlcmd -S \\.\pipe\MICROSOFT##WID\tsql\query
use master
alter database SUSDB set single_user with rollback immediate
go
sp_detach_db SUSDB
go
  • Once the above step completed successfully, Navigate to C:\Windows\WID\Data and copy the susdb.mdf to a shared location.
  • Login to SQL server where your existing SUSDB is hosted, Launch SSMS (SQL server management studio), connect to DB instance and attach the copied susdb.mdf file with name SUSDB_<SiteCode> by going through attach DB wizard
  • Once the DB is successfully attached, Login to SUP server(sup2012_1) with admin privileges, Navigate to HKLM\SOFTWARE\Microsoft\UpdateServices\Server\Setup in registry editor and change the values as shown below
SQLServerName: <SQL server Name>\<Instance Name>
SqlDatabaseName: SUSDB_<SiteCode>
ContentDir: \\FileServer\ShareFolder
  • Start W3SVC and WSUS service
  • Laucn WSUS admin console to make sure it is able to connect to DB

Install and Configure WSUS in sup2012_2(Replication Partner)

  • Login to the server sup2012_2 and make sure firewall is turned off or necessary firewall rules are created allowing siteserver and sup2012_2 to communicate
  • Add the computer account of site server as a local admin in sup2012_2
  • If you have additional drive to install ConfigMgr component and don't want SCCM to get installed in C drive, create NO_SMS_ON_DRIVE.SMS in the root of C drive, so that the drive will be untouched.
  • Open an elevated Powershell Console and execute the below command to install WSUS and required IIS features (Without DB)
install-windowsfeature -name updateservices-services -includemanagementtools
  • Open registry editor, navigate to  HKLM\SOFTWARE\Microsoft\UpdateServices\Server\Setup and change the values as shown below
    SQLServerName: <SQL server Name>\<Instance Name>
    SqlDatabaseName: SUSDB_<SiteCode>
    ContentDir: \\FileServer\ShareFolder
( Exact same values as in sup2012_1 server)
  • In elevated PowerShell console execute below command to perform post installation configurations
 "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR="\\FileServer\ShareFolder"
  • Once the post installation configurations are completed,  Launch IIS management console and navigate to Sites->WSUS Administration, right click on Content, select Manage Virtual directory and select Advance settings.
  • In the advance setting properties, Make sure Physical path starts with "\\", If not add as seen in the below screenshot


  • Restart W3SVC and WSUS services.
  • Launch WSUS administration console to make sure that the console launches without any error.(DO NOT CHANGE ANY CONFIGURATIONS THROUGH CONSOLE)


Install SUP role in both servers (sup2012_1 & sup2012_2)


  • Connect to ConfigMgr site through PowerShell, by selecting "Connect via Windows PowerShell" from Console file menu

  • Execute the below power shell command to add server2012 as a sitesystem in your ConfigMgr site (If they are not already)
New-CMSiteSystemServer -ServerName "sup2012_1.<DomainName>.<Com>"  -SiteCode "<SiteCode>"
  • On successful completion of the above, execute the below power shell command to add sup2012_1 as a SUP
Add-CMSoftwareUpdatePoint -SiteSystemServerName  "sup2012_1.<DomainName>.<Com>"  -SiteCode "<SiteCode>" -ClientConnectionType Intranet -WsusiisPort "8530" -WsusiissslPort "8531" -Verbose
  • Go through supsetup.log in the installation directory and make sure the SUP installation succeeded.
  • Once the installation succeeded, Navigate to \Administration\Overview\Site Configuration\Servers and Site System Roles in ConfigMgr console, select sup2012_1, right click on SUP role to see the properties. Make sure all the options you need are selected and configured.
  • Go through wcm.log in site server and make sure the configuration completed without any errors. But if you happen to receive the below error in WCM, it can safely be ignored as this is known behaviour in ConfigMgr 2012 R2 SP2
Failed to create assembly name object for Microsoft.UpdateServices.Administration. Error = 0x80131701.    SMS_WSUS_CONFIGURATION_MANAGER    29.04.2016 09:09:07    11840 (0x2E40)
  • Once all are green, initiate an update sync in ConfigMgr console and observe the outcome.
  • Follow the above procedure to install SUP role in sup2012_2 and initiate a sync to make sure everything is Ok.

Known Errors

In this section we will talk about known errors while configuring a server 2012 R2 as SUP in ConfigMgr environment

Error1 - WSUS app pool crash

 When you configure a server 2012 R2 WSUS as ConfigMgr SUP,  WSUS app will crash while the clients starts using that SUP and The console will not connect WSUS with the below messages in event viewer.

Event ID:      12052
Task Category: 9
Level:         Error
Description:
The DSS Authentication Web Service is not working.

Event ID:      12042
Task Category: 9
Level:         Error
Description:
The SimpleAuth Web Service is not working.

Event ID:      12022
Task Category: 9
Level:         Error
Description:
The Client Web Service is not working.

Event ID:      12032
Task Category: 9
Level:         Error
Description:
The Server Synchronization Web Service is not working.

Event ID:      12012
Task Category: 9
Level:         Error
Description:
The API Remoting Web Service is not working.

Event ID:      12002
Task Category: 9
Level:         Error
The Reporting Web Service is not working.

Event ID:      13042
Task Category: 6
Level:         Error
Description:
Self-update is not working.

Fix

To fix we need to change certain values at the IIS level for WSUS website. To do that,
  • Launch IIS management console, Navigate to Application Pools, Right click on WSUS Pool and go to advance properties.
  •  In the advance settings properties change the Queue length to 50000 as shown in the below screenshot
 

  • After doing this change, restart W3SVC and WSUS services.

 Functionality & Availability tests

  • Launch ConfigMgr Admin console Navigate to Monitoring\Overview\Software Update Point Synchronization Status to verify that the newly Installed SUP synchronize without any issues
  • Additionally go through wsusctrl.log, wcm.log, wsyncmgr.log to make sure that there are no errors in SUP operations
  • Identify a group of test clients and make them report to newly installed SUP by changing local group polcy configuration. Launch gpedit.msc, navigate to Computer Configuration -> Administrative templates -> Windows Components -> Windows Update. Edit the policy "Specify intranet Microsoft Update service location" to type in your server name as in the below image.

  • Create a test Update group, Deployment package and deployment to make sure the test clients successfully complete the scan against newly installed SUP, download the content, Install the updates and perform post validation scans.
Remove server 2012 R2 SUP

 This is pretty much straight forward. The upstream SUP must be removed at last after all of it's downstream SUPs are removed.
  • Login to siteserver, In Admin console navigate to Administration\Overview\Site Configuration\Servers and Site System Roles, select the server 2008 R2 SUP in the right pane
  • Right click on the Software Update point role, and click on Remove Role
(While removing the upstream SUP it will ask you select new upstream server. From the drop down menu, select one of newly installed SUPs )
  • Supsetup.log to verify successful De-installation SUP role
  • Navigate to Administration\Overview\Site Configuration\Servers and Site System Roles, right client on the server 2008 r2 site system and select Delete.

 Hope this post would help you when you plan to move your SUP role from server 2008 R2 to server 2012 R2. I know this is a lengthy post and I tried my level best to explain without including too much screenshots.If you have any questions or suggestion, Please leave a comment. i will try to answer them. :-)

S A Delphin

2 comments:

Unknown said...

Excellent post Delphin

S A Delphin said...

Thank you Hari

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Bluehost Coupons