3. Configuring and Administering SUS
You
will perform three administrative tasks related to SUS: configuring SUS
settings, synchronizing content, and approving content. These tasks are
performed using the SUS Administration Web site, shown in Figure 1, which can be accessed by navigating to http://SUS_servername/SUSAdmin
with Internet Explorer 5.5 or later, or by opening Microsoft Software
Update Services from the Administrative Tools programs group. The
administration of SUS is entirely Web-based.
Tip
You
might need to add Server01 to the Local Intranet trusted site list to
access the site. Open Internet Explorer, and choose Internet Options
from the Tools menu. Click the Security tab. Select Trusted Sites, and
click Sites. Add Server01 and Server01.contoso.com to the trusted site
list. |
Note
You
must be a local administrator on the SUS server to administer and
configure Software Update Services. This is another consideration as
you review dedicating the SUS server. With a dedicated SUS server, you
can delegate administration of SUS without inadvertently delegating
authority over other server roles or applications. |
3.1 Configuring Software Update Services
Although
some of the configuration of SUS can be specified during a custom
installation, all SUS settings are accessible from the SUS
Administration Web page. From the Software Update Services
administration page, click Set Options in the left navigation bar. The
Set Options page is shown in Figure 2.
The configuration settings are as follows:
Proxy server configuration If the server running SUS connects to Windows Update using a proxy server, you must configure proxy settings.
Tip
Although
the SUS server can be configured to access Windows Update through a
proxy server that requires authentication, the Automatic Updates client
cannot access Windows Update if the proxy server requires
authentication. If your proxy server requires authentication, you can
configure SUS to authenticate and you must store all update
content—files as well as metadata—locally. |
DNS name of the SUS server In the Server Name box, type the fully qualified domain name (FQDN) of the SUS server—for example, sus1.contoso.com.
Content source
The first SUS server you install will synchronize its content from
Microsoft Windows Update. Additional SUS servers can synchronize from
Windows Update, from a “parent” SUS server, or from a manually created
content distribution point. See the “SUS Topology” sidebar for more
information.
New versions of approved updates
The Set Options page allows you to modify how SUS handles new versions
of previously approved updates. This option is discussed earlier in the
lesson.
File storage You can modify the storage of metadata and update files. This option is also discussed earlier in the lesson.
Tip
If
you change the storage location from a Windows Update server to a local
server folder, you should immediately perform a synchronization to
download the necessary packages to the selected location. |
Languages
This setting determines the locale-specific updates that are
synchronized. Select only languages for locales that you support in
your environment.
Tip
If
you remove a locale, the packages that have been downloaded are not
deleted; however, clients will no longer receive those packages. If you
add a locale, perform a manual synchronization to download appropriate packages for the new locale |
|
Software
Update Services is all about enabling you to control the approval and
distribution of updates from Microsoft Windows Update. In a small
organization, SUS can be as simple as one server, synchronizing from
Windows Update and providing a list of approved updates to clients.
In a larger organization, SUS topologies can be developed to make SUS more scalable and efficient.
Multiple server topology
Each SUS server synchronizes content from Windows Update and manages
its own list of approved updates. This is a variation of a
single-server model, and each SUS server administrator has control over
that server’s list of approved updates. Such a configuration also
allows an organization to maintain a variety of patch and update
configurations (one per SUS server). Clients can be directed to obtain
updates from an SUS server with the appropriate list of approved
updates. Strict parent/child topology
A “parent” SUS server synchronizes content from Windows Update and
stores updates in a local folder. The SUS administrator then approves
updates. Other SUS servers in the enterprise synchronize from the
parent and are configured, on the Set Options page, to Synchronize List
Of Approved Items Updated From This Location (Replace Mode). This
setting causes the child SUS servers to synchronize both the update
files and the list of approved updates. Network clients can then be
configured to retrieve updates from the SUS server in or closest to
their site. In this configuration (Synchronize List Of Approved Items),
administrators of child SUS servers cannot approve or disapprove updates; that task is managed on the parent SUS server only. Loose parent/child topology
A “parent” SUS server synchronizes content from Windows Update and
stores updates in a local folder. Other SUS servers in the enterprise
synchronize from the parent. Unlike the strict configuration, these
additional SUS servers do not synchronize the list of approved updates,
so administrators of those servers can approve or disapprove updates
independently. Although this topology increases administrative
overhead, it is helpful when an organization wants to minimize Internet
exposure (because only the parent SUS server needs to connect to the
Internet), and it requires (as in the multiple-server model)
distributed power of update approval or a variety of client patch and
update configurations. Test/production topology This
model allows an organization to create a testing or staging of updates.
The parent SUS server downloads updates from Windows Update, and an
administrator approves updates to be tested. One or more clients
retrieve updates from the parent SUS server and act as test platforms.
Once updates have been approved, tested, and verified, the contents of
the parent SUS server are copied to a manually created content
distribution point on a second IIS server. Production SUS servers
synchronize both the updates and the list of approved updates from the
manual content distribution point. The steps for configuring such a
manual distribution point are detailed in the Software Update Service
Deployment White Paper, available from the Microsoft SUS Web site.
|
