Software Update Service (SUS) and SBS 2003

Hiya folks – Happy Weekend to You!

I am the publisher of the Microsoft Small Business Specialist Primer and I like to hold virtual book readings. Today we are focused on the updating capabilities in SBS 2003. Let’s rock!

Configure Software Update Service

One of the most important steps you can take in securing your SBS 2003 network is downloading Windows updates. Patches and fixes can be downloaded as soon as they are made available. Of course, you could set each client machine to download Windows updates automatically, but that would create a lot of traffic at once. You can centralize updates by using SUS (Software Update Services).


Working with SUS

SUS is a free download from http://www.microsoft.com/sus and provides patch, scanning, and installation services. Once installed it will scan the network, advise which patches are needed, and apply them based on your policy settings. When installing SUS, you can choose whether you want the SUS server to download the required patches from Windows update or host all patches on the SUS server. If you decide on the latter, ensure you have at least 6 GB of space on the host machine.

IMPORTANT: For SBS 2003 Premium Edition, ISA Server 2000 users: For clients to update successfully, you must host updates locally or configure ISA Server 2000 not to require authentication.

Approving Updates

Before patches are rolled out to clients, they must first be approved by the SUS administrator. You can access SUS over a web interface at http://servername/ SUSAdmin, where you click on the Approve Updates link. Select one of the update choices and then click the Approve button.

Configure SUS Using GPO

There are two policies you can configure for SUS, the Basic SUS Config Group Policy object and the Scheduled Install SUS Config GPO. The steps outlined below show how to configure both GPOs which will apply to computer accounts located in the MyBusiness organizational unit.

The Basic SUS Config GPO configures updates to be automatically downloaded and the user can choose when to install them. This GPO typically applies to servers on a network, but can be used to let the user of a client computer choose when to install updates.

1.      Log on to the Small Business Server (as an admin or an account that has admin rights and permissions), and go to the Server Manage­ment console.

2.      Double-click Advanced Management in the console tree.


Chapter 6 ? Securing Windows Small Business Server 2003

3.              Double-click Group Policy Management, double-click Forest: your domain name.

4.              Double-click Domains, right-click your domain name, click Create and Link a GPO Here .

5.              Type Basic SUS Config in the text box and click OK .

6.              The GPO will show now in the details pane, right-click the Basic SUS Config and click Edit .

7.              The GPO editor will open, go to Computer Configuration.

8.              Double-click Administrative Templates, double-click Windows Components and select Windows Update .

9.              Double-click Configure Automatic Updates in the details pane and select Enabled .

10.       Leave the default setting (3-Auto download and notify for install) and click OK .

11.       Double-click Specify intranet Microsoft update service location and click Enabled .

12.       Type http://your server name in both text boxes. (Set the intranet update service for detecting updates, Set the intranet statistics server.) Click OK, and close the GPO editor.

The Scheduled Install SUS Config GPO is an optional GPO that configures updates to automatically download and install updates to client computers on a network based on a defined schedule.

1.      Log on to the Small Business Server (as an admin or an account that has admin rights and permissions), and go to the Server Manage­ment console.

2.      Double-click Advanced Management in the console tree.

3.      Double-click Group Policy Management, double-click Forest: your domain name .

4.      Double-click Domains, double-click your domain name, My Business and then Computers .


5.                   Right-click SBSComputers (as shown in Figure 6-5) and click Create and Link GPO Here .

6.                   Type Scheduled Install SUS Config and click OK, it will now show under SBSComputers in the console tree.

7.                   Right-click Scheduled Install SUS Config and click Edit, the GPO Editor will open.

8.                   Under Computer Configuration click on Administrative Templates and double-click Windows Components and select Windows Update .

9.                   Double-click Configure Automatic Updates and select Enabled .

10.            Under Configure automatic updating, select 4 – Auto download and schedule the install from the drop down and leave the default 0 – Every day as the Scheduled install day .

11.            In the Scheduled install time the default time of 3:00 will show, click OK .

12.            Double-click Specify intranet Microsoft update service location and click Enabled .

13.            Type http://your server name in both text boxes. (Set the intranet update service for detecting updates, Set the intranet statistics server.) Click OK, and close the GPO editor.

14.            Double-click Reschedule Automatic Updates scheduled installa­tions . The Reschedule Automatic Updates scheduled installations properties will open, click Enabled .

15.            The default value 5 for Wait after system startup (minutes) will show, click OK .

16.            Double-click No auto-restart for scheduled Automatic Updates installations. The No auto-restart for scheduled Automatic Updates installations properties will open, click Disabled and click OK.

17.            Close the GPO editor.

Notes:


Chapter 6 ? Securing Windows Small Business Server 2003

Figure 6-5

Create and Link a GPO

 

At times the Group policy may not seem to take effect (by default it should push updates from the server to clients every 90 minutes), or you want to force the Group Policy update immediately. In that case, log on as the administrator to the client machine:

1.      On a computer running Windows XP, click Start, click Run.

2.      In the Open box, type cmd, and click OK. The command prompt will open.

3.      Type gpupdate/force, and press ENTER.


IMPORTANT: It is a good measure to actually click through these exercises as you read them to get the full effect of combining text with visual images. This will be your valid hands-on tool and help you recall your memory during the exam.

cheers….harrybbbb

Harry Brelsford, CEO at SMB Nation

MBA, MCSE, CNE, CLSE, CNP, MCP, MCT, SBSC (Microsoft Small Business Specialist)

PS – my Small Business Server 2008 (SBS 2008) book is now here! J

Advertisements

Leave a comment

Filed under Book

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s