Windows Server Update Services 3.0
Improvements for Distributed Networks
Microsoft Corporation
Published: June 2007
Author: Jeff Centimano
Abstract
This white paper highlights new and improved features in WSUS 3.0 that address update
management for distributed networks. Distributed networks include businesses with
multiple locations, or with a mobile workforce.
Note:
For more information about Windows Server Update Services 3.0, including
deployment recommendations and a step-by-step installation guide, please visit
the WSUS TechCenter on Microsoft TechNet.

The information contained in this document represents the current view of Microsoft Corporation on
the issues discussed as of the date of publication. Because Microsoft must respond to changing
market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, SQL Server, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.

4
Contents
Distributed Deployment Overview...................................................................................................................................5
Replica Servers............................................................................................................................................................5
Autonomous Servers...................................................................................................................................................5
Improved Deployment Flexibility......................................................................................................................................6
Replica Mode Improvements.......................................................................................................................................6
Automatic Update Client Improvements......................................................................................................................8
Scalability and High-Availability Improvements.............................................................................................................10
Other Deployment Considerations................................................................................................................................11
Roaming WSUS Clients.............................................................................................................................................11
Auditing WSUS Changes...........................................................................................................................................12
For More Information.....................................................................................................................................................12

5
Distributed Deployment Overview
Microsoft® Windows™ Server Update Services (WSUS) 3.0 introduces a completely rewritten user
interface with rich status information and highly-customized reporting. However, other improvements
promise to be just as compelling for WSUS administrators – especially those with distributed
environments. This section highlights options for distributed WSUS deployments and is targeted at new
WSUS administrators or those looking to expand their WSUS environment. Seasoned WSUS
administrators may want to skip to the next section for an overview of what’s changed in WSUS 3.0.
Replica Servers
Replica servers offer a simple way to extend the reach of your WSUS deployment without a corresponding
increase in administrative overhead. Administrators with multiple physical locations can deploy replica
servers to reduce bandwidth consumption, while still maintaining full control over the update experience.
This is especially useful in remote locations with many computers, but no IT staff.
Replica servers receive update approvals, computer groups, and update content from a parent server on a
scheduled basis. Update content can include all, or only a subset of the languages available on the parent
server. Computers can then download updates and report their status to a local replica server instead of
communicating across the wide-area network (WAN). To facilitate organization-wide status reporting,
replica servers upload detailed information about their local computers to a parent server during the
normal synchronization process. Aside from initial setup and computer targeting, replica servers require
very little ongoing management.
Autonomous Servers
Organizations with skilled IT staff in multiple locations may prefer to deploy autonomous WSUS servers.
Aside from the ability to synchronize update content from a parent server (similar to replica server
behavior), autonomous servers perform all other management and maintenance tasks locally. This
includes approving updates, creating computer groups, and running status reports. Autonomous servers
are also useful for test environments that are disconnected from the production network or the Internet.
Update content and metadata from a production WSUS server is easily imported to a test environment
using removable media.
Note:
Autonomous servers only upload status summaries to their parent server. If your environment
requires detailed reporting rollup, use replica servers instead.

6
Improved Deployment Flexibility
Replica Mode Improvements
Even though replica servers were introduced in WSUS 2.0, several key improvements in WSUS 3.0 make
them even more desirable for distributed networks.
Built-In Reporting Rollup
Previously available as a separate download for WSUS 2.0, reporting rollup is now included and enabled by
default in WSUS 3.0. Administrators can choose to display status information from replica servers globally
(Figure 1), or on a one-off basis within the reporting interface (Figure 2). Aside from planning for the
additional load created by downstream clients, no additional server configuration is required.
Figure 1: Global Reporting Rollup Setting
Figure 2: Reporting Interface Replica Visibility

7
Enable/Disable Replica Mode
In WSUS 2.0 the choice to deploy a replica server was only available during setup. If your network or
business needs changed, the only way to enable/disable replica mode was to reinstall the product. WSUS
3.0 introduces the ability to toggle replica mode (Figure 3). Using a simple check-box, administrators can
change a replica server to operate autonomously, or vice versa.
Figure 3: Configurable Replica Mode Setting
Being able to toggle replica mode also adds another layer to your WSUS 3.0 disaster recovery strategy. For
example, if a parent server becomes unavailable due to hardware or software failure, a replica can be
‘promoted’ on a temporary basis. This allows you to rebuild the failed parent server as a replica,
synchronize update approvals and computer groups from the ‘promoted’ server, and finally reconfigure all
servers to their original roles. No disaster recovery plan should depend on this functionality; however, it
may be useful when traditional server backups are not available.
Configurable Content Source
Many corporate WANs are characterized by a hub-and-spoke design, where branch offices connect to a
headquarters location for all content. However, some WANs are more complex – consisting of multiple
hub locations, or branch offices with a private link to headquarters and a separate connection to the
Internet.

8
New functionality in WSUS 3.0 allows administrators to split replica server communication and content
download across two different connections. For example, a replica server with a slow private WAN link but
high-speed Internet connectivity can synchronize update metadata, computer groups, and status
information across the private WAN – then download approved update content from Microsoft Update
servers using the high-speed Internet connection. This improved flexibility enables administrators to
deploy replica servers where they were previously impractical because of limited WAN bandwidth.
Language Download Settings
Additional bandwidth savings can be achieved by only downloading updates in languages needed by
clients in a particular location. In WSUS 3.0 replica servers now have the ability to synchronize a subset of
the languages supported by the parent server. For global deployments, a best-practice design might
include a parent server supporting all languages with geographical replica servers only downloading
updates for their local language.
Automatic Update Client Improvements
WSUS 3.0 includes a new version of the Automatic Update (AU) client, which is automatically deployed the
fist time a computer contacts WSUS 3.0. The new AU client contains improvements for all supported
operating systems, including the ability to install non-Microsoft updates and to collect machine inventory
data. Some features of the new AU client are only accessible via the WSUS Application Programming
Interface (API), or through additional products such as Microsoft System Center Essentials.
Windows Vista Peer Caching
Improvements in the Windows Vista AU client and Background Intelligent Transfer Service (BITS) 3.0 offer
additional capabilities not found in other operating systems. Specifically, Windows Vista can take
advantage of BITS 3.0 peer caching when connected to a WSUS 3.0 server. Peer caching enables Windows
Vista to share approved update content with other Windows Vista computers in the same domain, and on
the same IP subnet. Peer caching is configurable through Group Policy (Figure 4).
Figure 4: BITS Peer Caching Group Policy Setting

9
Peer caching can significantly reduce the load on your WSUS 3.0 servers. In Microsoft’s internal WSUS 3.0
environment up to 80 percent of Windows Vista clients download update content from their peers, and
not directly from WSUS 3.0. BITS 3.0 peer caching can also benefit branch office environments that do not
have a local WSUS server. If a large percentage of branch office computers run Windows Vista you may
decide to rely on peer caching instead of a WSUS replica server. More information on BITS 3.0 peer
caching and other BITS best-practices is located in the WSUS 3.0 Operations Guide – Appendix E
Windows Vista Windows Update Application
Windows Vista also offers a graphical Windows Update application (Figure 5) not found in other operating
systems. This application allows users to view Windows Update status, and manually run a check for
WSUS-hosted updates – all without resorting to command line utilities. The Windows Update application
can be customized in a number of different ways. For example, administrators can use Active Directory
Group Policy to remove the option to check for updates on the public Microsoft Update site. This is
important for organizations that want complete control over approved and installed updates. However,
organizations without an Internet-facing WSUS server may prefer to deploy updates this way instead of
leaving clients exposed to potential issues. Regardless of how you choose to use this feature, it is a
welcome addition to the product.
Figure 5: Windows Update Application

10
Scalability and High-Availability Improvements
Large and highly-distributed networks often require additional capabilities that are not needed in smaller
environments. This section addresses scalability and high-availability improvements in WSUS 3.0.
Native 64-Bit Support
WSUS 3.0 now comes in a native 64-bit version (x64) for use on Microsoft Windows Server 2003 x64
Edition. This version is appropriate for anyone running x64-compatible hardware, and offers specific scale-
up benefits for large environments. For example, up to 20,000 clients are supported on a single server
using the x64 version of WSUS 3.0. See the WSUS 3.0 Deployment Guide for a complete list of hardware
recommendations for 32-bit and 64-bit deployments.
Network Load Balancing Support
Support for Network Load Balancing (NLB) is back in WSUS 3.0. Previously available in Software Update
Services (SUS) but missing from WSUS 2.0, this high-availability technology is appropriate for large
environments with strict service level agreements. By using NLB, two to four front-end WSUS 3.0 servers
present themselves a single server to WSUS clients. If a front-end server goes offline for planned
maintenance or an unplanned component failure clients continue to receive updates from the remaining
NLB member(s).
Note:
NLB clustering requires that the WSUS 3.0 database be stored on a separate SQL Server 2005
server. Additionally, NLB clustering does not increase the total number of clients supported by a
single WSUS server.
Microsoft SQL Server 2005 Cluster Support
WSUS 3.0 now supports Microsoft SQL Server 2005 clustering to provide high-availability for environments
with a back-end database server. Microsoft SQL Server 2005 clustering can be used with a single front-end
WSUS 3.0 server, or as part of a fully-redundant design with NLB front-end servers.
Note:
Unlike the Windows Internal Database included with WSUS 3.0, Microsoft SQL Server 2005
requires separate server and client access licenses. Contact your Microsoft Account Manager or a
Microsoft Certified Partner for more information.

11
Other Deployment Considerations
Roaming WSUS Clients
Many organizations are concerned about keeping mobile computers updated when they roam between
corporate locations, and onto the public Internet. The solutions listed below are just a couple possible
ways to address this issue.
DNS Netmask Ordering
The DNS Netmask Ordering function in Windows Server 2003 allows roaming WSUS clients to be directed
to the closest WSUS server (based on IP subnet). This type of design implies multiple WSUS servers –
preferably a parent server at the network hub and replica servers in other locations. All WSUS servers
must have host records in DNS with the same fully-qualified domain name, but different IP addresses.
Once DNS and WSUS are correctly configured, all name resolution requests for WSUS will return an IP
address on the client’s subnet. If a local WSUS server does not exist, DNS Round Robin will choose one at
random. More information about DNS Netmask Ordering and Round Robin is located in Windows Server
2003 Help and Support.
Publishing WSUS 3.0 Using Microsoft ISA Server
Although DNS Netmask Ordering is helpful when roaming between locations on the internal network,
another solution is needed to accommodate WSUS clients outside the corporate firewall. One option is to
publish WSUS 3.0 on the Internet using Microsoft Internet Security and Acceleration (ISA) Server. If you
decide to implement this solution you can simply publish an internal WSUS server, or use a replica server
in a demilitarized zone (DMZ) network. Regardless of which server you publish, SSL is recommended so
roaming computers can verify the identity of your WSUS server.
Step-by-step instructions to publish WSUS using Microsoft ISA Server are available in the Microsoft
whitepaper “Implementing WSUS with ISA Server 2004 to Manage Remote Clients”. Although this
whitepaper was written for WSUS 2.0 the concepts are still valid for WSUS 3.0. However, important
information in the ISA Server web publishing section is out-of-date. Please refer to Table 1 on the
following page for a correct list of WSUS 3.0 virtual directories to publish.
Virtual Directory Publish HTTP? Publish HTTPS?
/Content/* 
/Selfupdate/* 

12
Virtual Directory Publish HTTP? Publish HTTPS?
/ClientWebService/* 
/Inventory/* 
/SimpleAuthWebService/* 
/ReportingWebService/* 
Table 1: Correct List of WSUS 3.0 Virtual Directories
Note:
The following virtual directories should not be exposed to the Internet:
• /ApiRemoting30 – Used for API access, including the WSUS Administration Console
• /DssAuthWebService – Allows other WSUS servers to authenticate to the server
• /ServerSyncWebService – Allows other WSUS servers to sync with the server
Auditing WSUS Changes
Large organizations often have multiple administrators who are responsible for software update
management. These organizations may also be subject to industry regulations on computer security. In
such environments it is important to maintain an audit trail of when updates are approved, and by whom.
WSUS 3.0 includes a new log file to record this type of information. The file name is ‘Change.log’ and by
default it is located in the %ProgramFiles%\\UpdateServices\\LogFiles directory. In addition to update
approval changes, the file records content synchronization, computer group additions/deletions, and
server configuration changes.
For More Information
WSUS 3.0 is a compelling software update management tool for organizations of any size. The following
information will help you evaluate and deploy WSUS 3.0 in your environment:
• The WSUS TechCenter on Microsoft TechNet (late-breaking information)
• WSUS 3.0 Documentation:

13
Release Notes for Microsoft WSUS 3.0
o
Microsoft WSUS 3.0 Overview
o
Step-by-Step Guide to Getting Started with Microsoft WSUS 3.0
o
Deploying Microsoft WSUS 3.0
o
WSUS 3.0 Operations Guide
o
• WSUS 3.0 Download (x86 and x64)
• Management Pack Catalog (for organizations running MOM 2005 or SCOM 2007)