Move WSUS content when running multiple SCCM SUPs, shared content and database

Posted on February 07, 2018by with No comments
Recently I needed to relocated the WSUS content directory for an SCCM site which was running multiple Software Update Points with a shared content directory and SUSDB cross forest. It was pretty straight forward, but it needed a methodical approach to be successful.

High Level Steps:

1. Create a new directory and share.
2. Grant the appropriate permissions.
3. Stop WSUS on cross forest SUPs (all but one).
4. Run Wsusutil MoveContent command.
5. Alter registry and IIS on cross forest SUPs.
6. Start WSUS instances.

Detailed Steps:


1. Create Directory and Share

Create a directory and share for WSUS content, this could be on a file server or local. But it needs to be accessible by all SUPs over SMB using a UNC path. It should mimic the current content location in terms of permissions and network access.

2. Grant Permissions

 SUP's will connect to the share using the computer accounts, so at least a one way inbound trust needs to exist beforehand. Grant the computer accounts for all SUPs 'Full Control' for the share and for NTFS.

The user account being used to run the wsusutil movecontent command will also need full control.

3. Stop WSUS on SUPs.

 Stop the WSUS service and website on all SUP's except the SUP currently being used to synchronize with Microsoft Update (the WSUS master front end server).

Stop-Website "WSUS Administration"
Stop-Service WsusService -Force

4. Run WSUSUtil MoveContent command

On the currently active SUP, open an elevated command prompt and run the following command from c:\program files\update services\tools

Wsusutil.exe movecontent \\FQDN\SHARE\ c:\dir\wsuslog.log

This will move the content from the current directory to the share on server \\FQDN and output a log file to c:\dir\wsuslog.log. It's obvious, but make sure you use the fully qualified domain name and it's resolvable cross forest.

5. Alter registry and IIS on other SUPs

You could run the wsusutil moveconten command on each of the other SUPs with the -skipcopy flag. But I find it just as easy to alter the registry and IIS.

Update the 'contentdir' string in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\  to reflect the share path  (i.e. \\FQDN\SHARE\ )

Open IIS, expand WSUS Administration, click on 'content' and select 'advanced settings'
Enter the full path to the wsuscontent folder on the share. i.e. \\FQDN\SHARE\wsuscontent\

6. Start WSUS on all instances

Once the registry entries and IIS has been updated, start the WSUS service and websites on all sups.

Start-Website "WSUS Administration"
Start-Service WsusService

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About Me

My photo
Senior Consultant at CDW UK specialising in Microsoft workspace and cloud technologies.