Share via

WSUS on disconnected network

kartikeya mahajan 46 Reputation points
2020-10-15T04:49:38.163+00:00

I am setting up a WSUS Server in my domain which is not connected on internet. I have setup a downstream server on Windows Server 2016 connected on internet. My internal WSUS server is also on Windows Server 2016. On downstream server, I'd downloaded the updates and ran wsusutil export command. After that, copied the export files and WSUS content on my internal WSUS server. The import ran successfully. I configured the GPO as well for auto-installation of updates and can see my domain computers on internal WSUS server. However, when I am approving the updates on internal server, they are not getting installed on computers. Will appreciate if someone can guide on what I am missing in this scenario.

Windows for business | Windows Server | User experience | Other
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adam J. Marshall 10,281 Reputation points MVP
    2020-10-16T14:35:35.213+00:00

    What updates are 'needed' by your clients?

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-6-selecting-your-test-systems-the-approvals-process/

    If you approve those needed updates, and they do not install, check to see if they are missing files by enabling the "File Status" column on any of the update views that show your approved updates (https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-2-computer-groups-update-views/).

    Verify there are no 'missing' files (they should all have a green icon). If they don't - those files are missing or corrupted and those updates will need to be approved/downloaded from your online WSUS server, and then re-copied to the offline server.

    1 person found this answer helpful.
    0 comments
  2. Rita Hu -MSFT 9,661 Reputation points
    2020-10-15T06:14:32.88+00:00

    Hi kartikeyamahajan-6287,

    Thank you for posting on this forum.

    To avoid misunderstanding, please help to confirm the following information:

    I have setup a downstream server on Windows Server 2016 connected on internet.

    1. Does the connected Windows Server 2016 WSUS in the domain or not? 
      2.

    In order to use the WSUS in a disconnected environment, we have to build two WSUS Server. One is connected to the Internet to download the Binary update file and the other is disconnected to the Internet. We could use the wsusutil.exe export and import command to import the updates from the connected WSUS server to the disconnected WSUS server. Here is the step - by - step for your reference:

    1)To verify that software updates synchronization has completed successfully on the export server

    2)Make sure advanced synchronization options for the express installation files feature and languages on the export server match the settings on the import server
    32545-1.png

    3)Copy the Binary update file on the connected WSUS server and then post on the disconnected WSUS server
    32552-2.png

    4)Open CMD as an administrator on the connected WSUS server and navigate to the wsusutil.exe tool(Location: C:\Program Files\Update Services\Tools). And then post the following command: `

    wsusutil.exe export export.xml.gz export.log`

    Wait for a while and we will find the compressed file in the location:C:\Program Files\Update Services\Tools
    32416-3.png

    5)Last we could copy the compressed file in the connected WSUS server and then posting on the disconnected WSUS server on the same location. Then we could run the wsusutil.exe import command to import the metadata to the database.

    Please help to confirm the above. If there are any updates, please keep us in touch.

    Regards,
    Rita

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. kartikeya mahajan 46 Reputation points
    2020-10-16T10:19:56.747+00:00

    Hi @UnicornLady ,

    Thank you for the detailed procedure.

    My Connected Windows Server 2016 WSUS is not on domain.

    I have checked all the settings as specified by you and exported/ imported all the binary files successfully. However, still updates are not getting installed on domain computers.

    On 'Update Source and Proxy server' settings of my disconnected server, I have selected 'Synchronize from another Windows Server Update Services Server' and have given the name of same disconnected server since there is no other way to connect to connected server. Is this a correct way to do or still some other settings need to be changed?

    Regards

    Kartikeya

    0 comments
  4. Rita Hu -MSFT 9,661 Reputation points
    2020-10-19T06:43:07.3+00:00

    Hi Kartikeya,

    Thanks for your response.

    On 'Update Source and Proxy server' settings of my disconnected server, I have selected 'Synchronize from another Windows Server Update Services Server' and have given the name of the same disconnected server since there is no other way to connect to the connected server. Is this a correct way to do or still some other settings need to be changed?

    In the past, I always set the disconnected WSUS sync from the Microsoft Update when I tried to export and import updates. I will set the disconnected WSUS from another WSUS and then try to export and import operations. If there are any updates, I will inform you in time.

    In addition, it is recommended to check the File Status as the below picture first:
    33261-3.png

    If the file status is correct but the clients do not install in schedule. It is recommended to check the Windowsupdate.log. We could open the PowerShell as an administrator and then post get-windowsupdatelog command to get this log. Please share with us if there is any error information.

    Regards,
    Rita

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  5. Rita Hu -MSFT 9,661 Reputation points
    2020-10-23T01:43:58.82+00:00

    Hi Kartikeya Mahahan,

    Thanks for your response.

    Here are the responses to your updates:

    1. It seems some files are corrupted. It is recommended to check which updates' files are corrupted. We could decline these updates in the connected WSUS server first and then run the Server Cleanup Wizard. After those updates are been cleaned up. We could try to approve these updates again on the connected WSUS. Finally, we could export and import these updates again.

    In addition, it would be better if you could provide the associated screenshot of the error information. Note to protect your personal information while you provide the related screenshot

    1. Majority of computers are not sending reports to the WSUS server due to which I am not able to determine whether the update is needed by them or not.
      The description means that the computers in the disconnected WSUS did not send a report to the WSUS. Right?

    Regards,
    Rita

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.