Migrating our WSUS and Patch Manager servers (2008 R2 to 2012 R2)

Question

(I apologize for any information overload. I just wanted to paint as clear of a picture as I could while picking your brains )

I am beginning work on migrating our WSUS and Patch Manager servers to Windows Server 2012 R2. I wanted to get some advice on a few areas where I'm cloudy. First, here's the setup:

One Active Directory forest at Server 2008 R2 level (two 2008 R2 DCs and one 2012 R2 DC)
We have a flat network, internal IP scheme. Nothing fancy here
VMWare ESX Server 5.5 (all of our servers are VMs)
We have 1 WSUS server and 1 Patch Manager server.
WSUS Server (Name: WSUS2008)
- Windows Server 2008 R2
- WSUS 3.2.7600.256
- Databases stored locally on server as Windows Internal Database
- Computer groups created on WSUS server. Machines report to WU and appear in Unassigned Computers. I then add them to whatever group is appropriate. The group structure mainly divides machines by processor type and the Windows Updates install setting the machine receives via GPO (manually install updates, automatically install, etc.)
Patch Manager Server (Name: PM2008):
- Windows Server 2008 R2
- Patch Manager 2.0.2207.2 (PAS)
- Databases stored locally on server with SQL Server 2008 R2.
NEW WSUS Server (Name: WSUS2012)
- Windows Server 2012 R2 Standard (w/GUI)
- WSUS 6.3.9600.16384 (Installed, completed the wizard, created a new GPO to redirect clients and tested a few successfully)
- Port 8530, no SSL for now (I can handle that later)
NEW Patch Manager Server (Name: PM2012)
- Windows Server 2012 R2 Standard (w/GUI)
Both 2008R2 and 2012R2 servers are in the same OU, and the firewall exceptions have been tested successfully.

We manage 145 machines with our WSUS infrastructure. The machines are organized into groups on the side of the WSUS Server. I can't ever remember the name for this method. Machines pull their WSUS config info from Group Policy and show up under Unassigned Computers. We have a couple of different Group Policies that lay out the installation type and schedule for updates. On WSUS, workstations are sorted by processor type (Win x64 vs x86). Servers are usually separated to match the install settings in Group Policy - a 'WSUS-Manual' for machines whose reviews need to be reviewed and updated by hand, 'WSUS-Auto' for machines that are clear to install approved updates at the next scheduled interval.

We have been working with this configuration for about four years, and it works great.

Here's what I want to accomplish:

Migrate the WSUS installation on WSUS2008 to WSUS2012. I began this process using a guide from Microsoft (Migrate Windows Server Update Services to Windows Server 2012). However, I ran into a wall when trying to export the database. I have created a new Group Policy pointing machines to WSUS2012, and I've already tested it successfully with a few machines. I will likely just rebuild the setup from scratch. I've also completed the setup wizard on WSUS2012.
Migrate the Patch Manager installation on PM2008 to PM2012. I was able to connect WSUS2012 to Patch Manager on PM2008, so connectivity should be fine.
Update Patch Manager so that its databases are stored on another server. We have a Server 2008 R2 instance running SQL 2008 R2 Enterprise. I've been slowly moving application databases to this server if supported (Kiwi Syslog Server, etc.) - I plan on using SolarWinds Knowledge Base :: How to migrate a local Patch Manager database to a remote SQL server to do this..

Questions:

What is the best method to migrate Patch Manager and related from PM2008 to PM2012. I'm comfortable with pairing the new instance with WSUS2012, so that part should be fine whether I migrate the WSUS or rebuild from scratch. I'm leaning towards the latter.
For Patch Manager, should I do the SQL Server data relocation before or after migration to PM2012?
Who would win in a battle between Chuck Norris and Manbearpig?

Thanks in advance for your time and input.

Jay

Message was edited by: grandgroove -- Removed old draft text.

LGarvin · Accepted Answer

Thanks for the extensive information. Definitely overload, but the good news is that there are very simple answers to this scenario. :-) 
 Here's what I want to accomplish:

Migrate the WSUS installation on WSUS2008 to WSUS2012 . I began this process using a guide from Microsoft ( Migrate Windows Server Update Services to Windows Server 2012 ). However, I ran into a wall when trying to export the database. I have created a new Group Policy pointing machines to WSUS2012 , and I've already tested it successfully with a few machines. I will likely just rebuild the setup from scratch. I've also completed the setup wizard on WSUS2012 .

That migration guide is not the most optimal methodology available (and I'm being exceptionally polite in my description). It was written because the Windows Server teamed wanted all product groups who built roles for the server to "show off" the role migration capabilities built into Windows Server 2008. Ironically, though, WSUS already had built-in (since a year earlier) all of the necessary tools to replicate a WSUS server. So, to migrate your WSUS v3.2 server to WSUS v6 (or any other WSUS server to another WSUS server, regardless of operating system)... Ensure the WSUS v3.2 server is patched with KB2734608. Disable synchronization on the WSUS v3.2 server. Install the WSUS V6 server as a downstream replica server of the existing WSUS v3.2 server and replicate. Depending on the number of updates and size of the content store on the WSUS v3.2 server this could take some time. Ideally you'll do some housecleaning on the WSUS v3.2 server before replicating. See WSUS Timeout Errors - Removing unneeded update approvals for some additional guidance. When replication is complete, reconfigure the WSUS v6 server as an Upstream server. Set the Product Categories & Update Classifications to the correct values and synchronize with Microsoft. Once you've confirmed the new server is operationally ready, reconfigure the GPO to point the clients to the new server. When all clients have successfully reported to the new server, you can take the old server offline. 
 
 Migrate the Patch Manager installation on PM2008 to PM2012 . I was able to connect WSUS2012 to Patch Manager on PM2008, so connectivity should be fine.

Migration of a Patch Manager server is not a supported activity. This will require installation of a new Patch Manager server on Windows Server 2012. There are also considerations for dealing with scenarios where WSUS and Patch Manager are not installed on the same version of Windows. Please be sure to review Using Patch Manager and WSUS in a mixed OS environment when planning the full deployment scenario. Essentially what you'll want to do here is: Install the new Patch Manager server in evaluation mode and get everything configured (except the 3rd Party Updates catalogs). Deactivate the original Patch Manager server license (this will put it back in eval mode, and you should have 30 days to wrap up it's use). Activate the new Patch Manager server and configure the 3rd Party Updates catalogs. 
 
 Update Patch Manager so that its databases are stored on another server. We have a Server 2008 R2 instance running SQL 2008 R2 Enterprise. I've been slowly moving apps to this server if supported (Kiwi Syslog Server, etc.).

Ideally you should accomplish this as a function of installing the new Patch Manager server; simply install it using a Remote SQL Server to start with. However, if you did need to migrate the database, that process is discussed in this Knowledge Base Article: SolarWinds Knowledge Base :: How to migrate a local Patch Manager database to a remote SQL server

Migrating our WSUS and Patch Manager servers (2008 R2 to 2012 R2)

Top Replies