Moving a WSUS server

So, you say that your current WSUS server has been through too much? Maybe someone tried different things on it. Maybe it was a DFS target, or even a DFS root; throw a little Sharepoint server on it; mix another server service or two, remove and add liberally, and you get a server that is crazy confused. Add to that the fact that it’s age is starting to show, and the hardware is out of warranty.

Given all of that, you decide to move WSUS to a new server. Hold your horses there, this isn’t like Active Directory where you can move the primary server, after an almost insane amount of work. Actually, the best instructions I have found to do that is actually installing SBS2003 in an existing domain, mostly because it covers all of the steps needed to move AD from on SBS2003 server, to another. However, there are some *ahem* automatic steps that you might have to do by hand.

However, we are talking about WSUS, not Active Directory. This is going to be a log harder. See, with AD, you basically add an AD server, promote it, move all of the stuff that goes on the primary AD server, and then shutdown the old primary and pray. With WSUS, there is no way to move its components to another server auto-magically.

WSUS Server Types

When you setup WSUS on a server, you have 3 ways of setting it up:

1. Synchronize from Microsoft Update
   This makes this server a stand-alone server
   
2. Synchronize from another WSUS server but not replicate
   This type makes this WSUS server a stand-alone, but uses another WSUS server like a proxy to download updates
   
3. Synchronize from another WSUS server and be a replica of it
   This modes makes this server simply act as a holder for updates, all approvals happen at the primary WSUS server
   

How you think moving should happen

Well, for me, I thought that the steps would be something like:

• Install WSUS on second server
  
• Configure second server to be the replica of the first server
  
• Once replication is finished, promote second server to be stand alone
  
• Change Group Policy Object for all computers in the domain and tell them to use the new server
  
• Rejoice!
  

Wow, wouldn’t you know it, that won’t happen. See, the database that gets setup for a replica is not the same as a stand alone, and you can’t promote it to stand alone once it has been setup. So, out of despair, I tried another option; I tried to setup a second stand-alone server, downloaded updates, approved everything that should be approved, and then tried to change a single client’s settings to use the new server. That didn’t work. To make that long story short, it seems that if there is even a slight difference in the approved packages, the client won’t accept the new server. Even if the difference is old packages that are either no longer available, or have been superseded by a newer version.

So, I tracked down some information from the web (thanks Google) and here is the steps I found.

How to move WSUS server

What you need to do is to create what is simply a duplicate of the existing WSUS server information, and load that into the new server. Here is what you do:

1. Setup the new WSUS server
   
2. On the old server, export the WSUS data by running
   
   wsusutil export filename.cab logfile.xml
   
   
3. Copy the .cab file to the new WSUS server
   
4. On the new server, import that WSUS data by running
   
   wsusutil import filename.cab newlogfile.xml
   
   
5. Open WSUS on the new server and verify settings and approved/declined updates
   
6. Change the Group Policy Object(s) which specifies the WSUS server name
   
7. After a few days, verify no machines are connecting to the old WSUS server
   

Once your machines are updating from the new server, you can shutdown the old one.

Special Scenario: Changing the Port that WSUS uses

By default, the installer sets WSUS to port 80 of the server. That means, all requests from clients machine and from admin consoles are on port 80. This could a problem if you want to use this same machine for other web services, or if the machine is visible on the Internet (which is not that great of an idea anyways).

I have looked through the registry for WSUS, and there are places where it stores the port number. Therefore, I would suspect that simply changing the port number on an existing machine would be very difficult. It would include not only changing the settings in IIS Manager for the Default Web Site, but also changing registry entries for WSUS to know it is on the correct port. Even with that, I would not bet money that would work.

Therefore, my option would be to perform a WSUS server move, but keeping it on the same machine, instead of moving to a new server. This does complicate things, because you will not have a former server to go back to in case of a problem with the new installation. Therefore, it is important to have a full backup of your server ready in case something goes wrong. If you are using SQL Server for WSUS and that is a physically different server, you should also perform a database backup on it, if not a full server backup.

1. Backup, for the love of your data, BACK THE SERVER UP!
   
2. Export your WSUS data by running
   
   wsusutil export filename.cab logfile.xml
   
   
3. Copy the .cab and .xml files to a safe location
   
4. Uninstall WSUS
   
5. If using SQL Server, you may want to check to make sure the WSUS database has been removed
   
6. Install WSUS on the server, using the new port setting
   
7. Import the WSUS data into the new install by running
   
   wsusutil import filename.cab newlogfile.xml
   
   
8. Open the WSUS admin console to verify that it is up and running correctly
   
9. Edit your Group Policy Object(s) to use the new port number
   

If your system does not work correctly, then you should restore the server from the backup(s) you made.

Advertisement