Most friends who are familiar with computers know that the first thing to do after the Windows operating system is usually installed is to go to the Windows Update website to give the Windows installation patch, otherwise various vulnerabilities are a big threat to the system. However, unfortunately, many people have no such awareness and neglect to play patch giving the system. This is also indirectly caused by viruses, such as last year's "worm king" and "shock wave" in the past few days, these two viruses use Microsoft software vulnerabilities to write and spread, unfortunately, there is widely circulating these viruses Previously, the patch of the corresponding software has long been published by Microsoft and provides free download. As long as the user can regularly access the Windows Update website to play the patch, it will not infect these viruses, but many people have neglected this. Good after these two lessons, more people know the importance of "patch", but the problem is coming.
Microsoft's upgrade servers have been set out abroad. Sometimes due to the reason for the network, the domestic user's connection server is very slow, and these at the time, the light-loaded patch has to be more than an hour, the efficiency is very low. On the other hand, for companies with hundreds of computers, each computer is connected to Microsoft's servers to download the 100 megabytes of patch, which is also a small burden on the network bandwidth for the company, and because everyone is To Microsoft's server download patch, the administrator cannot control the content of the patch, if a patch is just a conflict with some software in which the company is widely used, it may also cause greater trouble. Now, the problem is solved, that is, using Microsoft's SUS (Software Update Service, Software Update Services) service.
prerequisites
SUS has its own server side and client.
For the server, there is a request:
Hardware: 700MHz frequency or more CPU, 512MB above memory, 6GB or more hard disk space
Software: Windows 2000 Server SP2 operating system, Windows Server 2003, IIS 5 or above, IE 5.5 or above
It can be seen that SUS is relatively high, but it is necessary to explain that Microsoft recommended that this hardware configuration can provide an upgrade service for 15,000 computers, so if your network does not have such a large scale, hardware conditions can be appropriate Relax. On the other hand, for the 6GB hard disk space, this is used to save all the phrays, if only the computer of the English version or English version of the operating system is in your network, you can use the settings without downloading other languages. Patch files to save hard disk space.
For the client, there are also some requirements:
First, SUS services can only provide upgrade services for Windows 2000 SP2 / XP / 2003, which means that Windows NT and Windows 9x and Windows 2000 SP1 cannot be upgraded through this service.
For Windows 2000 SP2 and Windows XP, you will need to install a SUS client program; for Windows 2000 SP3 and above, Windows XP SP1 and above version and Windows Server 2003, you don't need to install the client, you can directly in the group Setting in the policy.
working principle
For the server side, it is understood as a local image of the Microsoft Upgrade server. The server side can be automatically or manually synchronized with Microsoft's upgrade server, download all patch, and then publish in the network within the enterprise.
The client is not much different from usual, but the default Microsoft server can be automatically downloaded and installed automatically through the setup of the setup settings to the path to the upgrade server within the enterprise.
And if your network environment has special needs, you can set up multiple SUS servers, and the client can select any server download patch. For the server, you can also set other SUS servers to keep synchronization with the same master SUS, rather than being synchronized with Microsoft server, thus further reducing network traffic. Application range
SUS can only provide a key update and service pack, drivers, and other updates that are available for Windows operating systems. Other products, such as Office, Exchange, etc., such as Office, Exchange are not included.
Server-end configuration
In this article, we will practice and configure SUS services on a Windows Server 2003 Standard standalone server.
First download the server-side installation file, then perform the installation directly, all options can be done according to the default settings. It should be noted that due to safety, the SUS server's system disk and the hard disk partition that saves SUS patches must be NTFS file system. Also, if you are installing SUS on a Windows 2000 Server operating system, the installer also installs IIS LockDown Tool at the same time, which is a software that improves IIS security.
After the server-side software is installed, you can start setting up. Setting the SUS server has two ways: local settings and remote settings, settings you have access to the Administrators group.
For local settings, you can double-click "Microsoft Software Update Services" in the control panel.
Remote management needs to open the IE browser on the remote computer (5.5 or more version), then enter "http: // server name or IP / susadmin" in the address bar "and then enter the cargo, then enter the corresponding username and password login.
The configuration interface is very eye, which is very similar to the Microsoft Windows Update website we usually access, and all features can be opened in the list on the left.
First, set this server, click on "Set Options" on the "Other Options" menu on the left, then you can see the interface of Figure II. On the front, the firewall settings, under "Select a Proxy Server Configuration", you can enter your firewall parameters, usually as long as you are set in IE, you can use the default settings here.
Then, "Specify THE Name Your Clients Use to Locate this Update Server" can make a better name for the server so that the client can access the upgrade server through the server name instead of IP address.
In the "Select Which Server to Synchronize Content FROM", you can set the source of synchronization patch. If your server intends to synchronize from Microsoft's upgrade server, select "Synchronize Directly from the Microsoft Windows Update Servers"; if you want to be from the network Synchronize content on other SUS servers, select "Synchronize From A Local Software Update Services Server" and enter the name or IP address of the target server below.
Under "Select How You Want To Handle New Versions of Previously Approved Updates", we can set up a new version that has been reviewed after a new version will take any action. If you think the new version of the patch can not be tested directly released, then, here select "Automatically approve new versions of previously approved updates"; otherwise select "Do not automatically approve new versions of approved updates I will manually approve these. Updates Later, so if the patch has a new version release, these new version of the program will not be released immediately, and wait for the administrator to verify, and then manually release. Under "Select WHERE You Want To Store Updates" you can set the way to save patch. You can simply select "Maintain The Updates On A Microsoft Windows Update Server", so the SUS server's patch download will remain completely synchronized with Microsoft's servers, regardless of whether those patches really need. So usually, you still recommend you to choose "Save the Updates to a Local Folder" and only choose the patch language you need, which will reduce extra downloads.
Everything is set, click "Apply" save settings in the lower right corner of the page.
Then, the server's synchronization work is followed. Click "Synchronize Server" on the left to see the interface of Figure II.
You can start synchronizing immediately with the "Synchronize Now" button. This will be a long process, especially if you want to synchronize, the patch language is more and more online speed. So I suggest you set the automatic synchronization, click the "Synchronization Schedule" button, then see the interface of Figure 4.
Select "Synchronize Using this Schedule" and then set the synchronization method below. If your server is running until 24 hours, it is recommended that you set up the server in the early morning, because this time network utilization is the lowest, easy to get High download speed. After setting, click the "OK" button to save the settings.
After the server is completed synchronously, if you set it before the release is prior to the release, then be started to be approved. Click "AppRove Updates" on the list on the left, you can see the interface of Figure 5.
All patchs that have been downloaded back will be listed here, and each patch will show the status of the patch. If it is "approved", the patch has been tested and approved to release it; if a patch is status "Not approved" needs to be paid attention to, you should install these patches on a few test use, if everything is normal, then select the checkbox in front of this patch name, then click AppRove in the lower right corner "Button. Then you have to agree to the final user license agreement of the patch, you have encountered a small problem here, that is, the pop-up display license agreement does not have any buttons, you need to press the Tab key to make this button to display it and click.
In addition to the patch, you can also see other more information, such as each patch, using green words display the operating system applied by this patch, and if you have this patch, you need to restart, then The description of the patch is represented by the prominent red writing. Each patch also has a link. After clicking, you can connect to the details of the Microsoft website to see the patch.
Note: If you set the patch before approved, only approved programs will be downloaded and installed by the client. At this point, the basic settings of the server have been completed.
Client configuration
The client we divide two cases, that is, the domain environment and workgroup environment. First look at the workgroup environment.
Note: The following contents involve the active directory and group policies, and Windows XP Home Edition is no group policy that is not available, so it is not in our discussion.
In the working group environment, you need to set up each client computer, if there are more computers in the network, it is obviously very troublesome, and the administrator will manage the way the administrator will use the active directory in the case of usual computers. Not serious, we continue to look down.
For Windows 2000 SP2 and Windows XP, we must install the SUS client first, download here,
After installation, enter "gpedit.msc" in the client's run, open the Group Policy Editor, and expand "Computer Configuration" - "Management Template", then right click on "Administrative Template", select Add / Remove Mandi ", Then click the" Add "button on the interface of Figure 6 and find the wuau.adm file in the% windir% / INF directory, double-click Add. Then, continue to open "Windows Components" - "Windows Update" (this only appears after the client software is installed and added), two available policies are displayed on the right side of the window. Where "Configure Automatic Update" allows you to set up the time and processing method, "Specify Enterprise Internal Internet ..." is used to specify the location of the server, you can "http: // server name" or "http: // The server IP is entered. The next thing you have to do is the same settings on each computer in the network.
After handling these, you can automatically connect to the specified upgrade server check update, if there is an update, or automatically download and query installation, or prompt users . Note that SUS is not accessible to the client, all upgrades can only be automatically performed in the background.
For Windows XP SP1 and Windows 2000 SP3, there are Windows Server 2003, which has been installed on the group policy, so it can be set directly in the group policy.
If your network is relatively large, the active directory is applied, and it will be more convenient to manage.
Enter "DSA.MSC" and enter the run on the domain controller, open the Active Directory user and computer settings window, and click the right click on the OU or domain to create the policy, select Properties, then in the Properties window Open the Group Policy tab and click the "New" button to name the newly created policy (for example, called SUS, Figure 7). Select the newly created group policy, click the "Edit" button, then pop up a group policy setting window, which is similar to the window that we usually runs gpedit.msc, but here can set a group policy for all computer in the entire domain.
Expand "Computer Configuration" in this window - "Administrative Template" - "Windows Components" - "Windows Update", and then sets the SUS client's operating parameters to all logs that you can enter the domain by setting the policy here. One thing is to be aware that if the client's operating system is Windows 2000 SP2, Windows XP, then the SUS client software is still required.
The setting of the entire client is this. I believe that the maintenance work of the administrator will be more relaxed in the future, and the computer in the network will be more secure!
