How to Setup Network Load Balancing for Configuration Manager Software Update Points


Before we get started a huge thank you to Meghan Stewart (Support Escalation Engineer) and Mike Johnson (Senior Support Escalation Engineer) for their knowledge and assistance with this blog.

 

I have several customers who have been interested in Network Load Balancing for Configuration Manager Software Update Points (SUP). Reasons vary from wanting to avoid costly network catalog resyncs, to needing a more fluid resilient solution, responsible for patching their large scale environment. A few of considerations should be taken prior to deploying in production.

 

Considerations

  1. All or some clients will have to download a new catalog. Depending on how you implement, either by using one of the existing WSUS servers or standing up all new WSUS servers, your clients will need to download the entire catalog from its new WSUS source. You should plan to remove existing SUPs one at a time to slowly cutover clients. (Good news: TP 1604 will allow you to force clients to a new SUP via Client Notification. This will eventually allow you to cut over clients in a surgical manner vs shotgun style, once it reaches production builds.)
  2. Depending on your Configuration Manager infrastructure setup, it is currently only recommended to share WSUS infrastructure at the CAS or Primary infrastructure. If you have Secondary Site SUP, it will still need to remain as an independent WSUS/SUP endpoint. Additionally, you can only have a maximum 4 SUPs at a primary site. See best practice references here and here.
  3. DOCUMENT THIS CHANGE IN YOUR ENVIRONMENT! This is not a standard WSUS/SUP configuration. Even worse, there is nothing in the consoles to identify the WSUS/SUPs are load balanced and utilizing shared infrastructure. It would be easy to assume the SUP roles and WSUS endpoints can be reinstalled without proper configuration, potentially causing network outages due to clients downloading the catalog every time the load balancer would point them to a different WSUS/SUP server.
  4. Update your Windows Update Agent (WUA), especially for Windows 7 / Server 2008 R2. Over the past year, the Windows Product Group has made several updates to the WUA. This has been for various reasons, but performance has been one of the main reasons it has been updated. If you are in an environment where they only patch Critical and Security, you probably have not been updating WUA through your normal patching process. WUA is categorized as an “Update”, and in most cases only gets updated when your OSD/MDT gold image gets updated. Create a query in SCCM showing the versions of WUA and the OS in your environment. If they are not up to date, put together a process to update them prior to implementing this change in production.

 

The 50,000-foot view

 

At a high level, a minimum configuration requires 2 WSUS servers, 1 database server and some sort of load balancing method. Below is a diagram of this configuration.

NLB

Traffic comes in through the load balancer, to the IIS servers. If content is needed, IE: Eula download, the content is directed to the share to be downloaded. The DFS role is optional but recommended, especially for HA considerations. If the content is only stored on one of the servers, that server becomes a single point of failure. I will cover this in detail, but when you install WSUS, you point both installs to the same database server and content location. This is called a shared database and shared content configuration. The WSUS servers will be identical which is what allows us to load balance between them without clients having to download the entire catalog every time it hits a different WSUS server.

 

How To

Now that we have covered some of the considerations and a high-level overview of the end result, let’s get started.

    1. Identify where the database is going to be installed. Your account should have sysadmin rights over that instance otherwise, the install will not work. In my lab, I am using a multipurpose SQL server in my lab, which uses the default instance name.capture20160706181811238
    2. Identify where the content location for WSUS is going to be stored. I am going to setup a DFS share in my lab between the 2 WSUS servers as shown in the diagram above. I am not going to cover how to setup DFS, but if you need assistance in this, you can find an easy how to here.
      1. \\Contoso.Local\WSUS\WSUSContent$
      2. Both WSUS frontend computer objects will need to have FULL CONTROL over this folder. In this example, my 2 frontend servers are the following
          1. CM12R2.contoso.local
          2. WSUS02.contoso.local
    3. Identify your NLB VIP/Hostname, in my lab, the following is my NLB Hostname.
      1. WSUS.Contoso.local
    4. Now that we have our database location and shared folder, we can install WSUS on the first server (CM12R2).
      1. Open Service Manager and click on Add Roles and Featurescapture20160706182119065
      2. Once you are at the Role selection, scroll to the bottom and select Windows Server Update Services.capture20160706182140295
      3. Accept the Add Features Promptcapture20160706182207457
      4. Once you are at the WSUS Configuration, Uncheck WID and Check Database.capture20160706182245514
      5. Enter the share location for the WSUS content.capture20160706191405846
      6. Type in the SQL Server name and click Check Connectioncapture20160706200813042
      7. Click next if successfully connected.
      8. Now Click Install.
    5. Once the install is complete you will need to reboot your server.
    6. Now WSUS is successfully installed om CM12R2, I can proceed with installing WSUS on my second server (WSUS02).
      1. Open Service Manager and click on Add Roles and Featurescapture20160706182119065
      2. Once you are at the Role selection, scroll to the bottom and select Windows Server Update Services.capture20160706182140295
      3. Accept the Add Features Promptcapture20160706182207457
      4. Once you are at the WSUS Configuration, Uncheck WID and Check Databasecapture20160706182245514
      5. Enter the share location for the WSUS content.capture20160706191405846
      6. Type in the SQL Server name and click Check Connectioncapture20160706191514372
      7. Click next if successfully connected.
      8. Now Click Install.
    7. Now we need to run the post install process via WSUSUtil.exe on BOTH servers.
      1. Open Administrative Command Prompt
      2. cd “c:\Program files\update services\tools”
      3. wsusutil postinstall SQL_INSTANCE_NAME=SQL01.Contoso.Local CONTENT_DIR=\\Contoso.Local\WSUS\WSUSContent$capture20160706202354329
    8. Once Post Install has completed successfully on both servers, we need to verify the following settings are correct.
      1. Open Regedit on both servers.
        1. HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup
          1. Verify the “SQLServerName” and “ContentDir” match their respective values.capture20160706202427214capture20160706202401798
      2. Open IIS on both servers.
        1. Navigate to Sites\WSUS Administration\Contentcapture20160706203414073
        2. Right Click on Content Select “Manage Virtual Directory > Advanced Settings”capture20160706203419525
          1. We need to verify the Physical Path is correct
            1. Notice the first “\\” are not in front of my network location, I will need to add “\\” to ensure the Physical Path will work when clients are requesting files from the Content Virtual Directory.capture20160706203503051
            2. Now my Physical Path is correct.capture20160706203643920
          2. Now to verify the Physical Path Credentials are set to Application User (Pass-Through Authentication)
            1. Select the line and click the ellipses on the right side.capture20160706203816366capture20160706203903867
          3. Now verify you can Explore from the Content Virtual Directory.
            1. Right Click on Content and Click Explorecapture20160706204105242
            2. Explorer opens to the correct locationcapture20160706204816525
        3. We need to verify the Authentication method on the Content Virtual Directory.
          1. Click on Content
          2. Open Authenticationcapture20160706204939133
          3. Right Click on Anonymous Authentication and click Editcapture20160706204942783
          4. Change the User Identity to Application pool identity and click OK.capture20160706205047818
      3. Now to verify ACL permissions on the content folder
        1. Go to the root of the WSUS Content directory. In my lab, I have navigated to \\Contoso.local\WSUS\WSUSContent$\WsusContent.
        2. Create a text file in this directory called ContentFolderAclsCheck.txtcapture20160722082226867
        3. Stop and Start the WSUS Service
          1. Via PowerShell
            1. Stop-Service -Name WsusService
            2. Start-Start -Name WsusService
        4. If you return to the root of the WSUS Content directory, the ContentFolderAclsCheck.txt file should be gone. If not, ensure both server computer objects have Full Control over this share/directory.
      4. Final Check is to run a health check from WSUSUtil
        1. Open an Administrator command prompt.
        2. Navigate to C:\Program Files\Update Services\Tools
        3. Run WSUSUtil.exe checkhealth
        4. Open Event Viewer and verify there are no Event Errors from Windows Server Update Service.
          1. If you have Event ID 10012, see this article.
      5. Next, we need to configure the WSUS Pool on both WSUS Servers based on the guidance from the Configuration Manager documentation here.
      6. Increase the WsusPool Queue Length to 2000
      7. Increase the WsusPool Private Memory Limit times 4 or set to 0 (unlimited).
        1. This should be based on the other Configuration Manager roles installed/not installed on the server and the amount of available RAM.
        2. To change these values, open IIS on both servers
        3. Expand the Server and click on Application Poolscapture20160722095034099
          1. Right click on WsusPool and choose advanced settings.capture20160722095145333
          2. Change Queue Length to 2000capture20160722095151504
          3. Set the Private Virtual Memory. I am changing my lab to 4 times the default.capture20160722095434319
      8. Now that both servers are setup and configured correctly we need to install the Software Update Points on both Servers.
        1. Open the Configuration Manager Console.
        2. Navigate to Administration\Overview\Site Configuration\Servers and Site System Roles
        3. To install the first SUP role on a pre-existing Site System, CM12R2.
          1. Right Click on the Site System and Click Add Site System Roles.capture20160706224800325
          2. Verify information on the first page and Click Nextcapture20160706212100495
          3. Configure Proxy settings IF needed, Click Next.
          4. Select Software Update Point Click Next.capture20160706212228072
          5. Select to use Ports 8530/853, Click Next.capture20160706212257159
          6. If you use a Proxy, check the top 2 boxes.
          7. If you are deploying a SUP into an untrusted forest, Check Use credentials to connect to the WSUS server and set the credentials. Click Next.capture20160706212425751
          8. Set the synchronization point for your environment. In my lab, I am choosing to synchronize from Windows Update directly. Click Next. -Note: The following steps will only show up if you no longer have any SUPs in your environment.capture20160706212619839
          9. Set your synchronization schedule. In my lab, I set it fairly frequently, for testing purposes.capture20160706212841128
          10. Set the superseded behavior for your environment.capture20160706213025861
            1. If you are on Configuration Manager Current Branch, Check the box to run WSUS Cleanup Wizard, this will perform WSUS maintenance for you.
          11. On the next 2 pages, select the classifications and products necessary for your environment.
          12. Choose your relevant languages.
          13. Once you have reached the Summary page, click install.
          14. Check the relative Log folder for the SUPInstall.logcapture20160706224539740
    9. Install SUP role on second WSUS Server, (WSUS02).
    10. Add the Primary Site Server to the Local Administrators group on the new server.
    11. From the console, navigate to Administration\Overview\Site Configuration\Servers and Site System Roles.
      1. Right Click Create Site System Servercapture20160706224800325
      2. Add the Server Name, Select the correct Site Code and Click Next.capture20160706212054659
      3. Configure Proxy settings IF needed, Click Next.
      4. Select Software Update Point Click Next.capture20160706212228072
      5. Select to use Ports 8530/853, Click Next.capture20160706212257159
      6. If you use a Proxy, check the top 2 boxes.
      7. If you are deploying a SUP into an untrusted forest, Check Use credentials to connect to the WSUS server and set the credentials. Click Next.capture20160706212425751
      8. Once you have reached the Summary page, click install.
      9. Check the relative Log folder for the SUPInstall.logcapture20160706224539740
    12. Now that both servers have WSUS installed, the SUP role installed the last configuration steps is to set the NLB address on both SUPs via PowerShell.
      1. Launch PowerShell from the Console.capture20160706232619684
      2. Run the following Cmdlets for both Software Update Points.
        1. Set-CMSoftwareUpdatePoint -Name CM12R2.Contoso.Local -NlbVirtualIP WSUS.Contoso.Local
        2. Set-CMSoftwareUpdatePoint -Name WSUS02.Contoso.Local -NlbVirtualIP WSUS.Contoso.Localcapture20160706232846588
          1. These commands will tell the clients to use the NLB address instead of the individual SUP host names. In my lab, I have a Round Robin DNS record for WSUS.Contoso.Local, which I would not recommend for production use. The -NlbVirtualIP will accept the hostname or IP address. You can check to see if clients are using the new address by looking at the registry. HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.
    13. Start a manual Synchronization
      1. From the Console, navigate to Software Library\Overview\Software Updates\Software Update Groups.
      2. In the top right of the ribbon, click Synchronize Software Updates and say Yes to the prompt.capture20160706233652474capture20160706233956501
      3. Navigate to the Site Server Logs and open the wsyncmgr.log to ensure the first sync is successful.

    Troubleshooting

     

    1. If the first sync is not successful open the WCM.log and look for errors like the following.capture20160707121100663
      1. If you have a 503 error, like the one above, ensure the WSUS pool is started at all the WSUS servers
    1. If you have a 401 Unauthorized, like the one above, this typically means you have some type of authentication issue with either the WSUS Administration website or one of its subsites.
      1. In past experiences, this typically has to do with the Anonymous Authentication user not set to the Application Pool Identity. You can use the instructions above, Step 8, Section b, Part iii, to change other users to the Application Pool Identity. Only do so if something is not working correctly.

    Reference Links

     

    1. Configure WSUS for Network Load Balancing
    2. How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster
    3. Configuring WSUS 6.x for Network Load Balancing (NLB)
    4. Best Practices for Software Updates in Configuration Manager
    5. Software Update Point Configured to Use an NLB
    6. Event ID: 10012
    Comments (0)

    Skip to main content