Create or identify a domain user account to be used as the Software Update Point Connection account.

Add the computer accounts of each site system that will be configured as part of the software update point NLB cluster to the local Administrators group on each server that will be part of the NLB cluster.

Note
The computer accounts for the cluster nodes must be able to write to the WSUS database. If the local Administrators group is removed from the SysAdmin role on the SQL server, the computer accounts will not be able to write to the WSUS database, and the software update point will fail to install until the computer accounts are added to the SysAdmin role.

Create a DFS share or a standard network shared folder that is available to all of the WSUS servers that will be part of the software update point NLB cluster to be used as the WSUS resource content share. Each of the remote WSUS servers should be given change permissions on the root of the shared folder (all standard NTFS permissions except for Full Control). If the share is created on one of the site systems that will be part of the NLB cluster, the Network Access Account for the site system must have change permissions on the root of the shared folder. The user account used to run WSUS Setup must also have the same permissions to the share.

Identify the computer running SQL Server to host the WSUS database. The WSUS database can be installed on the same SQL Server database server instance that hosts the site database or a different SQL Server database server.

Note
For a list of supported SQL Server versions that you can use for site systems in Configuration Manager, see SQL Server Site Database Configurations.

The WSUS 3.0 Administration console must be installed on the primary site server to allow the site server and remote Configuration Manager consoles to configure and synchronize with WSUS.

If the Configuration Manager site is configured to communicate by using SSL authentication, Web server signing certificates must be configured on each of the software update point site systems that will be configured as part of the NLB. For more information about configuring Web server signing certificates for network load balanced software update points, see PKI Certificate Requirements for Configuration Manager.

On a server that will be part of the software update point NLB cluster, create the following folder: <Program Files directory>\Update Services.

Install WSUS 3.0 on each server that will be a member of the software update point NLB cluster. For more information about installing WSUS, see Install the WSUS 3.0 SP2 Server Software Though the User Interface in the Windows Server Update Services documentation library. During installation, consider the following settings:

• On the Select Update Source page, select the Store updates locally check box and enter the path <Program Files directory>\Update Services.
  
  
• On the Database Options page, do one of the following.
  
  
  • If you are running WSUS Setup on the server hosting the WSUS SQL Server database, select Use an existing database server on this computer select the instance name to be used from the drop-down list.
    
    
  • If you are running WSUS Setup on a computer that will not host the WSUS SQL Server database, select Use an existing database server on a remote computer and enter the FQDN of the SQL Server that will host the WSUS database followed by the instance name (if not using the default instance).
    
    

  Warning
  If another WSUS Server that will be part of the NLB cluster has been configured to use the same SQL Server database server, select Use existing database.

Add the Software Update Point Connection Account to the local WSUS Administrators group on the server.

On the SQL Server computer that hosts the WSUS database, provide dbo_owner rights on the SUSDB database for the Software Update Point Connection Account.

Configure Internet Information Services (IIS) to enable content share access.

1. Open the Internet Information Services (IIS) Manager console.
   
   
2. Expand <server name>, expand Sites, and then expand the Site node for the WSUS Web site (either Default Web Site or WSUS Administration).
   
   
3. Configure the virtual directory Content to use the UNC share name of the share created in step 3 of the To prepare the network environment for NLB software update point site systems procedure in this topic.
   
   
4. Configure the credentials used to connect to the virtual directory with the user name and password of the Software Update Point Connection Account created in step 1 of the To prepare the network environment for NLB software update point site systems procedure in this topic.
   
   

Configure SSL authentication in Internet Information Services (IIS).

Important
This step is only required if the software update point will be configured to communicate by using SSL. If you are not configuring the software update point to use SSL, skip to step 6.

1. Open Internet Information Services (IIS) Manager.
   
   
2. Expand Web Sites, and then expand the WSUS administration Web site (either Default Web Site or WSUS Administration).
   
   
3. Configure the following virtual directories of the WSUS administration Web site to use SSL:APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService.
   
   
4. Close Internet Information Services (IIS) Manager.
   
   
5. Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet FQDN of the software update point site system node>.
   
   

Move the local content directory to the WSUS resource content share created in step 3 of the To prepare the network environment for NLB software update point site systems procedure in this topic.

Important
This step must be followed for each of the front-end WSUS servers that are not on the same server as the WSUS resource content share

1. Open a command window and navigate to the WSUS tools directory on the WSUS server: cd Program Files\Update Services\Tools
   
   
2. On the first WSUS server to be configured, at the command prompt, type the following command:
   
   wsusutil movecontent<WSUSContentsharename><logfilename>
   
   Where <WSUSContentsharename> is the name of the WSUS content resource location share to which the content should be moved, and logfilename is the name of the log file that will be used to record the content move procedure.
   
   
3. On the successive WSUS servers to be configured, at the command prompt type the following command:
   
   wsusutil movecontent<WSUSContentsharename><logfilename>/skipcopy
   
   Where <WSUSContentsharename> is the name of the WSUS content resource location share to which the content should be moved, and logfilename is the name of the log file that will be used to record the content move procedure.
   
   

   Note
   To verify that the content move was successful, review the log file created during the procedure and use registry editor to review the HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup|ContentDir registry key to ensure that the value has been changed to the WSUS content resource location share name.

In the Configuration Manager console, click Administration.

In the Administration workspace, expand Site Configuration and click Servers and Site System Roles.

Add the software update point site system role to a new or existing site system server by using the associated step:

Note
For more information about installing site system roles, see Install and Configure Site System Roles for Configuration Manager.

• New site system server: On the Home tab, in the Create group, click Create Site System Server. The Create Site System Server Wizard opens.
  
  
• Existing site system server: Click the server in which you want to install the software update point site system role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the details pane.
  
  On the Home tab, in the Server group, click Add Site System Role. The Add Site System Roles Wizard opens.
  
  

On the General page, specify the general settings for the site system server. When you add the software update point to an existing site system server, verify the values that were previously configured.

On the System Role Selection page, select Software update point from the list of available roles, and then click Next.

On the Software Update Point page, specify whether the site server will use a proxy server when software updates are synchronized and when downloading software update files, and whether to use credentials to connect to the proxy server. Click Next.

On the Active Settings page, click Next, and then click Close to exit the wizard and create the non-active software update point.

To configure the Windows Server NLB cluster for installed software update point site systems, follow the instructions for deploying NLB for the operating system running on the site system. For Windows Server 2008 and Windows Server 2008 R2, see the Network Load Balancing Deployment Guide.

After you verify that the NLB cluster is operating successfully, you can configure the active software update point to use the NLB cluster.

In the Configuration Manager console, click Administration.

In the Administration workspace, expand Site Configuration and click Servers and Site System Roles.

On the Home tab, click Configure Site Components, and then click Software Update Point. The Software Update Point Component Properties opens.

On the General tab, select Use Network Load Balancing cluster for active software update point.

Click Settings and configure the following NLB settings:

1. NLB address type: Select FQDN.
   
   
2. Intranet FQDN or IP address: Enter the FQDN that you created in step 6 of Prepare the Network Environment for NLB Software Update Point Site Systems.
   
   

Click OK.

Click Set, and then select to configure the Software Update Point Connection Account to use the Windows user account that you created in step 1 of the To prepare the network environment for NLB software update point site systems procedure in this topic.

Select Existing account to specify a Windows user account that has previously been configured as a Configuration Manager account or select New account to specify a Windows user account that is not currently configured as a Configuration Manager account. The user is displayed in the Accounts subfolder of the Security node in the Administration workspace with the Software Update Point Connection Account name. Click OK

Determine the communication settings that you want to use for the active software update point, and then click OK.