Using network load balanced software update point site systems allows for scalability of support for Configuration Manager sites with over 25,000 assigned clients that will connect to Windows Server Update Services (WSUS) on the active software update point site system server. Configuring the active software update point site system in a network load balancing cluster can also be beneficial for Configuration Manager sites with less than 25,000 assigned clients to ensure site system high availability.

Note
The maximum number of WSUS servers that can be configured as part of a network load balancing cluster is four.

The following five procedures are required to configure the active software update point component for a Configuration Manager site as a network load balancing cluster:

Prepare the network environment for network load balanced software update point site systems.

To prepare the network environment for network load balanced software update point site systems

  1. Create or identify a domain user account to be used as the Software Update Point Connection account. For more information about the Software Update Point Connection account, see About the Software Update Point Connection Account.

  2. Add the computer accounts of each site system that will be configured as part of the software update point network load balancing cluster to the local administrators group of each server that will be part of the network load balancing cluster.

    Note
    The computer accounts for the cluster nodes must be able to write to the WSUS database. If the local administrators group is removed from the SysAdmin role on the SQL server, the computer accounts will not be able to write to the WSUS database, and the software update point will fail to install until the computer accounts are added to the SysAdmin role in some way.

  3. Create DFS share or a standard network shared folder that is available to all of the WSUS servers that will be part of the software update point network load balancing cluster to be used as the WSUS resource content share. Each of the remote WSUS servers should be given change permissions on the root of the shared folder (all standard NTFS permissions except for full control). If the share is created on one of the site systems that will be part of the network load balancing cluster, the site system computer's Network Access account must have change permissions on the root of the shared folder. The user account used to run WSUS Setup should also have these permissions to the share created. For more information about setting up a DFS share for WSUS remote servers, see http://go.microsoft.com/fwlink/?LinkId=91278.

  4. A SQL Server 2005 database server should be identified to host the WSUS database. The WSUS database can be installed on the same SQL Server 2005 database server instance that hosts the site database or a different SQL Server 2005 database server. For information about configuring SQL Server 2005 to host the WSUS database, see Appendix B: Configure Remote SQL topic in the Windows Server Update Services documentation at http://go.microsoft.com/fwlink/?LinkId=91278.

  5. The WSUS 3.0 Administration console must be installed on the primary site server site system to allow the site server and remote Configuration Manager consoles to configure and synchronize software update points. For more information about installing the WSUS 3.0 administration console, see How to Install the Windows Server Update Services 3.0 Administration Console.

  6. If the Configuration Manager 2007 site is configured to operate in native mode, or SSL authentication will be configured for the WSUS servers in a Configuration Manager 2007 site configured to operate in mixed mode, Web server signing certificates must be configured on each of the software update point site systems that will be configured as part of the network load balancing cluster. For more information about configuring Web server signing certificates for network load balanced software update points, see Deploying the Web Server Certificate to Network Load Balanced Site Systems.

Install WSUS 3.0 (on each server that will host the software update point site system role)

Note
The following procedure must be performed on each server that will be part of the software update point network load balancing cluster.

To Install WSUS 3.0 to Support the Configuration Manager Software Update Point Site System Role

  1. On a server that will be part of the software update point network load balancing cluster, create the following folder: <Program Files directory>\Update Services.

  2. Install WSUS 3.0 on each server that will be a member of the SUP NLB cluster.

    Note
    Configuration Manager 2007 Service Pack 1 (SP1) requires WSUS 3.0 SP1 or WSUS 3.0 Service Pack 2 (SP2). WSUS 3.0 SP2 is required to support Configuration Manager 2007 SP2 software update management for the Windows 7 and Windows Server 2008 R2 operating systems.
    1. Double-click the WSUS setup executable (WSUS3Setupx64.exe or WSUS3Setupx86.exe).

    2. On the Welcome page, click Next.

    3. On the Installation Mode Selection page, select the Full server installation including Administration Console check box, and then click Next.

    4. Read the terms of the license agreement carefully. Click I accept the terms of the License agreement, and then click Next.

    5. On the Select Update Source page, select the Store updates locally check box and enter the path <Program Files directory>\Update Services.

    6. On the Database Options page, do one of the following.

      If you are running WSUS Setup on the server hosting the WSUS SQL Server database, select Use an existing database server on this computer select the instance name to be used from the drop-down list.

      If you are running WSUS Setup on a computer that will not host the WSUS SQL Server database, select Use an existing database server on a remote computer and enter the FQDN of the SQL Server that will host the WSUS database followed by the instance name (if not using the default instance).

      Note
      If another WSUS Server that will be part of the network load balancing cluster has been configured to use the same SQL Server database server, Select Use existing database when prompted.
    7. On the Web Site Selection page, specify whether to use the existing Internet Information Services (IIS) Default Web site or to create a custom WSUS 3.0 Web site. When using the WSUS server for a software update point, it is recommended to use a custom WSUS Web site by selecting the Create a Windows Server Update Services 3.0 Web site to use a custom WSUS Web site option. Click Next.

      Note
      By default, the custom WSUS Web site uses HTTP port 8530 and HTTPS (SSL) port 8531. If the Windows Firewall is enabled on the server being configured, ensure that WSUS exceptions are created and enabled in Windows Firewall after installing WSUS. For more information about configuring Windows Firewall for software updates, see How to Configure a Firewall for Software Updates.
    8. On the Ready to Install Windows Server Update Services page, review your choices, and then click Next to begin the WSUS 3.0 installation.

    9. On the Completing the Windows Server Update Services 3.0 Setup Wizard page of the WSUS 3.0 installation wizard, click Finish.

      Important
      After clicking Finish, the Windows Server Update Services Configuration Wizard starts. Do not use the wizard to configure the WSUS installation and click Cancel to close the wizard. The WSUS server configuration is managed from within the Configuration Manager console.

  3. Add the Software Update Point Connection Account to the local WSUS Administrators group on the server.

  4. On the SQL Server computer that hosts the WSUS database, provide dbo_owner rights on the SUSDB database for the Software Update Point Connection Account.

  5. Configure Internet Information Services (IIS) to enable content share access.

    1. Open the Internet Information Services (IIS) Manager console by clicking Start, point at All Programs, point at Administrative Tools, and click Internet Information Services (IIS) Manager.

    2. Expand <server name>, expand Web Sites, and then expand the Web Site node for the WSUS Web site (either Default Web Site or WSUS Administration).

    3. Right-click Content node and click Properties.

    4. On the Virtual Directory tab, select the A share located on another computer option for the resource content and fill in the UNC share name of the share created in step 3 of the To prepare the network environment for network load balanced software update point site systems procedure in this topic.

    5. Click Connect As, and enter the user name and password of the Software Update Point Connection account created in step 1 of the To prepare the network environment for network load balanced software update point site systems procedure in this topic. Click OK to close the Content node properties.

  6. Configure SSL authentication in Internet Information Services (IIS).

    Important
    This step is only required if the Configuration Manager 2007 is configured to operate in native mode. If the Configuration Manager 2007 site is configured to operate in mixed mode, or SSL authentication will not be configured for WSUS on the site systems in a Configuration Manager 2007 site configured to operate in mixed mode, go to step 6.
    1. Open Internet Information Services (IIS) Manager.

    2. Expand Web Sites, and then expand the WSUS administration Web site (either Default Web Site or WSUS Administration).

    3. Perform steps d through g on each of the following virtual directories of the WSUS administration Web site:APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService.

    4. Right-click the virtual directory and then click Properties.

    5. Click the Directory Security tab, and then click Edit in the Secure Communications section.

    6. Select Require secure channel (SSL), and then click OK.

    7. Click OK to close the properties for the virtual directory.

    8. Close Internet Information Services (IIS) Manager.

    9. Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet FQDN of the software update point site system node>.

  7. Move the local content directory to the WSUS resource content share created in step 3 of the To prepare the network environment for network load balanced software update point site systems procedure in this topic.

    Important
    This step must be followed for each of the front-end WSUS servers that are not on the same machine as the WSUS resource content share created in step 3 of the To prepare the network environment for network load balanced software update point site systems procedure in this topic.
    1. Open a command window and navigate to the WSUS tools directory on the WSUS server: cd Program Files\Update Services\Tools

    2. On the first WSUS server to be configured, at the command prompt, type the following command:

      wsusutil movecontent <WSUSContentsharename> <logfilename>

      Where <WSUSContentsharename> is the name of the WSUS content resource location share to which the content should be moved, and logfilename is the name of the log file that will be used to record the content move procedure.

    3. On the successive WSUS servers to be configured, at the command prompt type the following command:

      wsusutil movecontent <WSUSContentsharename> <logfilename> /skipcopy

      Where <WSUSContentsharename> is the name of the WSUS content resource location share to which the content should be moved, and logfilename is the name of the log file that will be used to record the content move procedure.

      Note
      To verify that the content move was successful, review the log file created during the procedure and use registry editor to review the HKLM\Software\Microsoft\Update Services\Server\Setup|ContentDir registry key to ensure that the value has been changed to the WSUS content resource location share name.

Install the software update point site system role (on each server that will be part of the software update point network load balancing cluster)

To install the software update point site system role on servers that will be part of the network load balancing cluster

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site code> - <site name> / Site Settings / Site Systems.

  2. Determine whether to create a new site system server or add the software update point site system role to an existing site system server, and then follow the associated step:

    • To create a new site system server and add the software update point site role: Right-click Site Systems, click New, and then click Server.

    • To add the software update point site role to an existing site system server: Right-click the site system server name, and then click New Roles.

  3. Configure the general site system settings for the site system server. The following settings should be configured:

    • Specify a fully qualified domain name (FQDN) for this site system on the intranet: This setting must be configured for the active software update point site system when the site server is in native mode.

    • Specify an Internet-based fully qualified domain name for this site system: This setting must be configured for the active software update point if it accepts Internet-based client connectivity or for the active Internet-based software update point site system.

    • Use another account for installing this site system: This setting must be configured when the computer account for the site server does not have access to the remote site system.

    • Allow only site server initiated data transfers from this site system: This setting must be specified when the remote site system does not have access to the inboxes on the site server. This allows a site system from a different domain or forest to store the files that need to be transferred to the site server. The site server will periodically connect to the remote site system and retrieve the files. The Internet-based software update point might require this setting to be enabled.

    Click Next.

  4. Select Software update point, and then click Next.

  5. Specify whether the site server will use a proxy server when connecting to the software update point, and then click Next.

  6. Specify whether this site system should be configured as the active software update point. For this procedure, do not select Use this server as the active software update point; instead, click Next, and then click Close to exit the wizard.

Configure the Windows Server network load balancing cluster for installed software update point site systems

To configure the Windows Server network load balancing cluster for installed software update point site systems

  1. To configure the Windows Server network load balancing cluster for installed software update point site systems, follow the instructions in the How to Configure Network Load Balancing for Configuration Manager Site Systems procedure.

  2. After verifying that the network load balancing cluster is operating successfully, the software update point component can be configured to use the network load balancing cluster as the active software update point for the site using the Configuration Manager console.

Configure the active software update point component for the Configuration Manager site as the software update point network load balancing cluster.

To configure an NLB as the active software update point

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site code> - <site name> / Site Settings / Component Configuration and then double-click Software Update Point Component.

  2. In the Software Update Point Component Properties dialog box, on the General tab, click Use Network Load Balancing cluster for active software update point.

  3. Click Settings

  4. In the Network Load Balance Settings dialog box, click the IP Address Type arrow and then click FQDN. In the Virtual IP or FQDN (private) box, enter the FQDN of the SUP NLB cluster.

    Note
    If the Configuration Manager 2007 site is configured to operate in native mode and a public FQDN is entered, you must use the FQDN created in step 6 of the To prepare the network environment for network load balanced software update point site systems procedure in this topic.

    Click OK.

  5. In the Software Update Point Component Properties dialog box, click Set and enter the name and password for the Software Update Point Connection account created in step 1 of the To prepare the network environment for network load balanced software update point site systems procedure in this topic.

    Note
    The Enable SSL for this WSUS Server is enabled by default and cannot be modified if the site is in native mode.

  6. Click OK.

See Also