Configmgr 2012 SP1 : Installing Multiple Software Update Points per single primary site and use a single shared WSUS database on your SQL Cluster

October 3, 2012 at 10:00 am in AdminUi, ConfigMgr 2012, ConfigMgr 2012 SP1, SCCM 2012, SCCM 2012 SP1, SUP, wsus by Kenny Buntinx [MVP]

 

After installing ConfigMgr 2012 SP1 Beta (you can’t install SP1 in production, unless you have signed a TAP agreement with Microsoft), We wanted to install a new feature/functionality called Multiple SUP. In SP1 they have support for multiple software update points for a site (also for non trusted forests)  to provide automatic redundancy for clients in the same way as you can configure multiple management points.

In Configuration Manager 2012 Service Pack 1, they have added the ability to set multiple SUPs per Primary Site, to :

  • Provide the ability to add SUPs cross-forest
  • Provide fault tolerance without requiring NLB.

Clients will automatically fail over to additional SUPs in the same forest if scan fails , but switching SUP’s has a different network cost involved depending if you are using a shared WSUS database or not. The cheapest  network cost would be if you are sharing the WSUS database. By design , clients will try to scan to the SUP 4 times with a fixed interval of 30 minutes ( it will wait 30 min before it tries again )before switching to another SUP in the SUP list.

NOTE: Be aware that the above defined values or specifications can change any time as this product is still in beta !

However I believe this is a big step forward for Configuration Manager and that this is a nice solution for security and redundancy options, we had some difficulties to get this working with multiple WSUS servers sharing the database on the same SQL cluster / instance.

The product team is aware of the issue and is working at a solution . Until then , if you want to try this in a lab with a SQL cluster , here are the steps on how to work around the issue .

Scenario that failed :

1. Install WSUS-02 server.

2. Choose use existing WSUS-01 SUSDB database (on a remote SQL cluster ), and specify the remote SQL server name + instance.

You will get an error :  “Existing database is not compatible with this version of WSUS 3.0 SP2” . After clicking OK, then the option to use existing DB is greyed out.” When that happens , the remote SUSDB for existing WSUS server goes to single user mode (and doesn’t revert, so it can’t be contacted SUP) . Your WSUS-01 ( first WSUS can’t connect anymore)

3. Run a query to revert SUSDB from single user mode.

4. The assumption is that the required KBs (2720211 and 2734608), which have been applied to WSUS-01 before installing SP1 beta , are required on WSUS-02.  However, they can’t be applied until after WSUS-02 is installed, so we’re stuck adding another WSUS server using a shared database where the existing WSUS server has been patched with the KBs.

Scenario that succeeded:

1. Install WSUS-02 on its own dedicated database (internal) . Human error alert — we accidentally specified the server name and instance of the existing SUSDB, and overwrote it without any notification ! Used System Center Data Protection Manager to recover the SUSDB.  Phew.

2. Then the following steps were required to get the second WSUS (and second SUP) working successfully:

  • Install WSUS with a local DB.
  • Install KB2720211 and KB2734608
  • Stop WSUS Service on both WSUS servers

3. Modify the registry to point WSUS-02 to WSUS-01 SUSDB on remote SQL cluster as well and some other keys (listed below):

  • wYukonInstalled=0
  • SqlServerName= <clustername>\<instanceName>
  • SqlInstanceIsRemote=1

4. Cycle IIS services

5. Restart WSUS service.

6. Validate WSUS console opens.

7. Add SUP role to new WSUS server.

When you have success , go to the WCF.log file and see if he finds your SUP’s successfully :

image

Go to the monitoring tab and look into the “Software update point synchronization status”. What you maybe have questioned yourself is that there has not been anything about sync source, sync schedule, classification or products during the installation of the role when adding the second SUP. You specified everything already with the installation of the first SUP. When the second SUP has been installed I start a synchronization of the updates again to see what happens. See picture below :

SNAGHTML27922e2

After a few hours, you will see a confirmed number that clients are scanning off of the new SUP (WSUS-02).  Go to reporting and select “ Software Updates – D. Scan “ and use report “ Scan 1 –Last scan states by collection” .

image

Drill down to “Scan Completed”  . You will see this

image

If you export in a pivot table you will get excellent results that are more clear :

image

SNAG-0116

The feature really works well and I am pleased that the Product Team provide us these new features ! Above graphic proves it really works !

However it is NOT certified and therefore NOT SUPPORTED for Configuration Manager 2012 SP1 by the Product Group in production unless you are TAP. If you already use it in production , don’t expect Premier Support to help you . Certification and support statements will take official 90 days after RTM of Windows 8 . These experiences are being build during a TAP program and may be solved as we move to RTM .

Hope it Helps ,

Kenny Buntinx

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInPin on Pinterest