Join Brien Posey for an in-depth discussion in this video Provide secondary access to Windows Update, part of Windows 10: Plan and Implement Software Updates.
- [Instructor] Typically the Window Server Update Services are configured to download updates from Microsoft Update, however that might not always be ideal. In larger organizations, the client workload can potentially overwhelm the Window Server Update Services server. In situations like that, it's better to use an upstream downstream topology. The way that this works is that the upstream server is a Window Server Update Services server that downloads its updates from Microsoft Update. The downstream Window Server Update Services servers download their updates from the upstream Window Server Update Services server and you can have multiple downstream servers so that that way you can distribute the client workload across multiple WSUS servers.
With that said, here's how you can figure that type of topology. Go into the Window Server Update Services console, which I'm in right now, and click on options. When I do that, you'll notice that the very first option right here is update source and proxy server. I'm going to go ahead and click on that option now, and when I do that, I'm taken into the update source on proxy server dialogue box, with the update source tab selected. You can see that right now, the server is configured to synchronize from Microsoft Update.
Typically, that is the way that this should be configured. If you only have a single WSUS server or if you have an upstream server, then this is the option that you're going to want to use. However, if you're configuring a downstream server, then you don't want that downstream server to be getting its updates from Microsoft Update. You want it to get the updates from the upstream Window Server Update Services server instead. The way that you do that is by clicking on the synchronize from another Window Server Update Services server option, then you have to specify the server name.
You might enter something like IN-WSUS-WSUS2 as the server name, and then you have to populate the port number. You'll notice that right now, the port number is set to 8530 and that is the default port number that's used in the current generation of Windows. However, if you want to enable SSL encryption between the upstream and downstream servers, then you're going to have to use a different port number. The port number that Microsoft uses for SSL encrypted communications within WSUS is 8531.
You also have to select the use SSL when synchronizing update information checkbox. Keep in mind that just making the changes on this side alone won't work. You're also going to have to update your upstream server and configure it to use SSL as well. If you're going to use SSL, both the upstream and the downstream servers have to be configured to use it, otherwise you'll end up with a mismatch. If you don't want to use SSL, then simply deselect this checkbox and set the port number back to 8530.
There's one other thing on this dialogue box that is worth mentioning. There's a checkbox right here for this server is a replica of the upstream server. We have some explanatory text down below and it explains that a replica server mirrors updates, approvals, settings, computers, and groups from its parents. The caveat here is that you can only approve updates on a WSUS server. You can't do it on a replica server so that's why you have to make a distinction as to whether or not this is a replica server.
That's how you go about synchronizing updates from an upstream server in WSUS.
- Deploying updates manually
- Monitoring deployments
- Configuring automatic deployment rules
- Analyzing log files
- Approving and declining updates in Intune
- Deploying software from SCCM, WSUS, and Intune