cluster aware updating via WSUS

I can't seem to find this information anywhere,

I have setup a 2 node hyper-v 2012 baremetal cluster and configured it with cluster aware updating role (CAU)

the environment is not internet facing and the updates need to come through a local WSUS server, a capability mentioned in many articles, however no guidelines on how to actually do it

CAU is configured with the microsoft.windowsupdateplugin in self-updating mode

I'm not sure how to point the CAU role to the local WSUS host, obviously no updates are occuring since there is no internet access to the MS update servers and WSUS cannot simply be auto-discovered

has anyone done this or know how to make this work?  I can only assume I would have to pass on some sort of argument to the CAUpluginArguments field with the http/s link to the WSUS infrastructure but can't find the proper string

thanks in advance,

armin

December 28th, 2012 10:48pm

I'm not using CAU myself, but from the documentation: http://technet.microsoft.com/en-us/library/hh847234.aspx

it doesn't seem that it is configured any differently than any other WU implementation - just the invocation and scheduling would be under the control of CAU so as to avoid cluster unavailability?

Free Windows Admin Tool Kit Click here and download it now
December 29th, 2012 12:35am

I've looked at that link as well but as you saw, nothing specific in there for pointing to another update server, the only thing that comes close is how to go through a proxy server, but that's not the issue either.

I wish it was as easy as you say but CAU creates a virtual computer object in AD which seems to act as the "update broker" if you will for all the nodes in the cluster requiring updates, more than just invocation/scheduling.  During validation if CAU sees your local cluster nodes are configured to go through WSUS it will actually throw a flag since it sees it as a conflict.  It's noted in the best practices section that CAU should be exclusively managing patches, not WSUS/SCCM/etc. on the cluster nodes.

I even tried to put the CAU virtual computer object in the OU where my usual WSUS policies reside but it didn't do anything since that object is not really a traditional computer object in AD, it never showed up in the WSUS console after reboots and manual update triggers from the CAU snap-in.

Thanks anyway, let's see if anyone has this working.

December 29th, 2012 7:46am

I'm not sure how to point the CAU role to the local WSUS host, obviously no updates are occuring since there is no internet access to the MS update servers and WSUS cannot simply be auto-discovered

You configure Cluster-Aware Updating in exactly the same way you would configure a standalone node. Use Group Policy to configure the WUAgent. 

http://technet.microsoft.com/en-us/library/dd939933(v=ws.10).aspx

What CAU does is coordinate the activities of the individual WUAgents on each node of a cluster, but that still requires that the nodes be configured as WSUS clients.

Free Windows Admin Tool Kit Click here and download it now
January 1st, 2013 5:18am

It's noted in the best practices section that CAU should be exclusively managing patches, not WSUS/SCCM/etc. on the cluster nodes.

What that means is that you should not use policy to specify a scheduled installation time for the nodes, but rather allow the CAU subsystem to 'schedule' the installations.

Regarding the configuration, this statement in the Overview may shed some light:

To enable self-updating mode, the CAU clustered role must also be added to the failover cluster. To do this by using the CAU UI, under Cluster Actions, use the Configure Self-Updating Options action.

January 1st, 2013 5:27am

You're right, my default WSUS GPO which the cluster nodes were initially inheriting has a schedule for installing updates so the CAU analysis report was reporting a conflict.

I created a new WSUS GPO with no scheduling defined and ran the CAU report and it passed this time, the update wizard also seems to work ok but I'll know for sure when new updates come out next week as they're all up to date right now.

Thanks for your help.

Free Windows Admin Tool Kit Click here and download it now
January 2nd, 2013 6:56pm

For clarity, when setting up the special GPO to send the WSUS settings to the cluster, what is the best way to configure the "Configure Automatic Updates" policy?  Is it to '3 - Autodownload and notify for install' and then the CAU client on the hosts will take it from there? Or is a different option on that list better?

The technet seems to suggest that both option 2 & 3 on that list would work, but I presume option 3 is slightly better since the updates are downloaded and ready to be installed, thus it's a bit quicker?

Secondly, our Hyper-V cluster machines are in their own OU, and as well as the 3 machine names for the 3 machines in the cluster, there is also a 4th machine name in the same OU, a "Failover cluster virtual network name account".   Is it correct to apply the WSUS GPO to that whole OU, to all 4 machine names?

January 27th, 2014 5:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics