Saturday, July 18, 2015

Microsoft SCCM 2012 R2 - Dual SUPs, Same Site

Had to cobble together some information to get this working. As usual, I try to center my posts around information that I had to spend some time researching...to hopefully save someone else the trouble.

I wanted to setup two SCCM 2012 R2 SUPs within the same Site. One is for Intranet clients, the other for Internet clients (IBCM). To mitigate the "change WSUS server sync penalty" Microsoft recommends setting the two SUPs up with the same SQL and same content directory per this article. Well, they don't truly explain how to do that clearly, especially on Windows Server 2012 R2. Here are the collection of technet articles I pooled together to get this right:

TechNet Blog - Describes this exact thing! (without much detail!)
Configure WSUS for NLB - Ignore the NLB parts, no need for NLB with SCCM, gives some better detail on several of the steps

Here is a quick and dirty step outline on how I got this working:

1) Create a domain service account for IIS to reach the contentdir network share - ill use wsususer for the remainder of this blog entry.

2) Create a folder for the WSUS content and share it (you can do DFS if you want, I just did standard share) Any server can host it, I chose my "first" WSUS server. This may not be precise, but it worked for me...set the permissions as follows:
  • NETWORK SERVICE - Full Control
  • wsususer - Read
  • WSUSCOMPUTERACCOUNT-1 - Full Control
  • WSUSCOMPUTERACCOUNT-2 - Full Control
3) Server #1 - Install WSUS on the first server: (powershell makes it easy)
Install-WindowsFeature -Name UpdateServices-Services,UpdateServices-DB -IncludeManagementTools
 4) Server #1 - Run postinstall on the first server, specifying the remote SQL DB but leaving content directory at default (we'll move it after the install, an important point)

.\wsusutil.exe postinstall SQL_INSTANCE_NAME="DBSERVER\INSTANCE"
5) Server #1 - Run the wsustuil movecontent to the newly created share. Its located in C:\Program Files\Update Services\Tools
  .\wsusutil.exe movecontent \\networkshare.fq.dn\sharename C:\movecontent.log

6) Server #1 - Open IIS and navigate to the WSUS Administration Site and the Content Directory. Edit the "basic settings" to point to the network share (if not already done) and edit the "connect as" account to the wsususer account. Run a test to make sure permissions are correct.

7) Server #1 is now "done". I recommend restarting WSUS services and watch the event log for any automatic health alarms that pop up.

8) Repeat steps 3-4 on server #2. The WSUSutil on Windows 2012 R2 will auto detect the exsting database and use it. It appears older versions of WSUS needed an extra flag set (see TechNet article I linked above)

9) On Server #2, we will not run the movecontent utility, we will simply edit the ContenDir registry key to tell WSUS to store updates on the network share. This key is located here:
HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup
10) On Server #2, repeat steps 6-7

11) Install SUP role on server #1, watch the WCM.log for any errors in configuring it. If all good, install SUP role on server #2. Now SYNC!!!