Ramblings From The Litter Tray of Life

Posts Tagged ‘manual’

WSUS in the Workgroup

Posted by graycat on 27 August 2008

Sometimes you might be needing an update server in a small company or network where there is no domain or, like me in this case, you’re building a new machine and need to update it without joining it to the domain. Now even if you install the OS using the latest repository from the manufacturer you are going to have to update it further. This updating can take ages when pulled over the inter-web from MS so accessing a WSUS server would be ideal.

Well with a little work, you can get a workgroup machine to use your domain WSUS server ….. and here’s how.

Two main options really (as laid out here by Microsoft) – policy based and registry based. I’m not going to go into the policy based stuff as that’s really well covered in the MS page and very straight forward. The method I’ve just used though is adding to the registry.

After a little searching I ran across a few reg keys that’ll point the machine towards the right WSUS, set download / install options and even drop it into the right WSUS group. In the end I went with this reg settings:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\]
“WUServer”=”http://192.168.0.100”
“WUStatusServer”=”http://192.168.0.100”

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\]
“AUOptions”=dword:00000002
“NoAutoRebootWithLoggedOnUsers”=dword:00000001
“NoAutoUpdate”=dword:00000000
“RescheduleWaitTime”=dword:00000005
“ScheduledInstallDay”=dword:00000000
“ScheduledInstallTime”=dword:00000000
“UseWUServer”=dword:00000001

The first few keys are pretty self evident as specifying your WSUS server. I’ve seen people suggesting that the server name, FQDN and IP address all work but I could only get the IP address to work and think this is a better solution anyway. In these keys you will also need to specify the port number to use if it is not the default port 80. This is done thus “http://192.168.0.100:8530”.

The AU section is where it gets interesting and allows you to set all the options such as downloading, installing and reboots. The AUOptions dword options go like this:

  • 1 – Keep my computer up to date has been disabled in Automatic Updates.
  • 2 – Notify of download and installation.
  • 3 – Automatically download and notify of installation.
  • 4 – Automatically download and scheduled installation.

Personally I’m an option 3 kinda guy when it comes to servers, ie: download it but I’ll give final approval to install it or not manually. Yes, this takes more time but it’ll save a lot more time if something goes wrong IMO.

The other keys are pretty easy to follow so I won’t rewrite the MS article but here’s an overview.

ScheduledInstallDay – which days to install on. 0 = everyday

ScheduledInstallTime -what time you want the install to run using 0 – 23 time format (for the hours if you’re not hip with the military speak)

NoAutoUpdate – enables or disables autoupdate.

NoAutoRebootWithLoggedOnUsers – true or false situation. If set to 1, will not automatically restart a computer while users are logged on.

Advertisements

Posted in IT | Tagged: , , , | Leave a Comment »

How to set an SNTP server by command line

Posted by graycat on 22 July 2008

Ok, I know this one won’t interest most people but it’s something I’ve had to do twice this month so I thought I’d throw it out there.

First you might be asking yourself “why is it important to set a time server? The clock looks about right to me!”

Well, my well meaning friend, the authentication protocol that windows uses within domains (kerberos) uses time as part of it’s calculations and it’s a bit picky about how far out you get. I’ve seen one server that just would not let a senior admin logon no matter what he did …. until he spotted the clock was right but the date was out by a month! Once that was corrected, he was off and running!

Normally within a domain you will be assigning IP addresses using DHCP and you can add the time server in there as one of the options. However, if you get into the situation where you need to check it is synchronising with the right box you can use this command:

Net time /querysntp

This will then spit out where it’s getting its time from. If nothing is being syncronised with then it will also report this too.

To add a server you’ve need theĀ  /setsntp: switch so something like this would do the job:

Net time /setsntp: timeserver.mydomain.com

If you run the querysntp again, it should report the current SNTP server you’ve just set.

A bit of advice though – it doesn’t matter if you set the clock 45 minutes out of whack with the rest of the world …. as long as all you’re machines are set like that!

Posted in IT | Tagged: , , , , | 2 Comments »