One of the great features built into Microsoft’s Windows Server Update Services (WSUS) is the ability to address the needs of networks that are not connected to the Internet. The WSUS Deployment Guide describes the basic requirements and procedures for implementing this capability in the article Configure a Disconnected Network to Receive Updates.
Over the years, though, this procedure has routinely coughed up a few ugly “gotchas” that have made life a bit annoying for some WSUS administrators. In this article I’m going to talk about the most commonly seen “gotchas”, why they exist, how to remediate them, and how to avoid them.
The procedure works in this order:
- Copy files from connected server to portable storage
- Export updates from connected server
- Copy files from portable storage to disconnected server
- Import updates to disconnected server
so that’s the order in which I’m going to cover the “gotchas”.
But before starting the procedure, make sure that the relevant settings are identical on both servers. This includes all settings on the Update Files and Languages dialog, as well as the selections on the Products and Classifications dialog.
Copy Files from Connected Server
In order to successfully copy all of the needed files from a connected server, they must first be present on the connected server. Updates that may be needed in the disconnected server must be Approved for Install on the connected server so that the files are downloaded. Also, before executing the copy of files to the portable storage, double-check the console of the connected server and verify that all update download are actually completed.
The other notable “gotcha” is how the copy is performed. You should copy the Subfolders of the WSUSContent folder, not the WSUSContent folder itself. The subfolders and files inherit ACLs from the WSUSContent folder, but the critical ACL item is the Full Control permission granted to the LOCAL Group “WSUS Administrators”. If you copy the WSUSContent folder itself, you’ll overwrite the ACLs on the disconnected server and WSUS won’t be able to find the content.
Export Updates from Connected Server
The only “gotcha” in this step recently started occurring with greater frequency. The native export format for the update metadata is the CAB file format. CAB files, though, have a maximum size of 2 Gigabytes. On servers with the “Drivers” and/or “Definition Updates” classification selected, the large number of updates in those two categories may create more export content than can fit into a 2GB CAB file.
There are two things to do to avoid this situation. Properly maintain approvals on the connected server and use the Server Cleanup Wizard. On a connected server the only reason to approve updates is to get files downloaded. Once the files are downloaded, they will not be deleted unless the updates are declined; also, files will not be deleted from the disconnected server unless they are declined there and the Server Cleanup Wizard is used, so truly the only files we actually need on the connected server are the files for new updates. I recommend as part of your regular export/copy procedures that you also decline all expired and superseded updates and run the Server Cleanup Wizard prior to beginning the export/copy. Also, having a smaller set of files to copy from the connected server to the disconnected server can make that process much faster.
Copy Files from Portable Storage to Disconnected Server
If you copied the Subfolders of WSUSContent, then this step is pretty straightforward, but make sure the disconnected server’s WSUSContent folder is actually where it thinks it should be. I’ve seen an occasional case where the WSUSContent folder was copied somewhere else and it couldn’t be found.
Also, with respect to the ACL issue mentioned in the earlier section, if you do happen to copy the WSUSContent folder and overwrite the ACL, it can be easily remediated. As noted, the key is the WSUS Administrators local group. If this has happened, you’ll see an unresolvable SecurityID in the Permissions dialog for the WSUSContent folder. Remove that ACL, add back the real “WSUS Administrators” local group, grant it Full Control applied to folder, subfolders and files, and select the “Replace all child object permissions” so the ACLs get applied to the entire folder tree.
Import Update to Disconnected Server
The most notable “gotcha” with this final step is impatience. The WSUS Operations Guide notes that the WSUS server make take “3-4 hours” after the wsusutil import task completes before it fully reconciles all of the update approvals with the files in the content store. That “3-4 hours” estimate dates back to the original release of WSUS v2 in 2005 when there were only a few thousand updates in the entire WSUS catalog. Today a server can easily have ten times as many updates to export/import. Consider the possibility that this task may take several hours, particularly so if being imported to a less-than-well-maintained server or you’re running a server with tens of thousands of updates.
The last “gotcha” is maintenance. Be sure to remove approvals, run the Server Cleanup Wizard, defragment the filesystems, and use the WSUS DB Maintenance script on your disconnected server on a regular basis as well.