In this article I will outline how to migrate WSUS 3.0 to a new server using a local SQL Express instance and without downloading all of the updates again.
1. Install WSUS on new server with local express database.
2. During configuration wizard choose "Synchronize from another WSUS server…", enter the name of the existing WSUS instance you are migrating from, and then choose the replica option.
3. Complete the configuration wizard (some options will be skipped due to being a replica server)
4. Wait for initial synchronisation to complete. This will synchronise update files, approvals, and computer groups, but not other server settings. This step saves you having to download your approved updates from the internet again.
5. Change the new server from a replica to standalone.
6. Download the WSUS API Samples and Tools from Microsoft and install it on each of the servers.
7. On the old server open a command prompt and navigate to the C:\Program Files\Update Services 3.0 API Samples and Tools\WsusMigrate\WsusMigrationExport folder.
8. Run "wsusmigrationexport.exe settings.xml" to export the settings. This will backup your approvals and target groups to an XML file.
9. Copy the XML file to the new server.
10. On the new server open a command prompt and navigate to C:\Program Files\Update Services 3.0 API Samples and Tools\WsusMigrate\WsusMigrationImport folder. Run "wsusmigrationimport.exe settings.xml All None".
11. Configure your server settings (products and classifications, auto-approvals, email alerts, etc) on the new server to match the old server.
12. Update your GPOs to direct clients to the new WSUS server. If you are using GPOs to assign computers to Computer Groups in WSUS then no further action is required. If you are manually assigning computers to Computer Groups in WSUS then all clients will initially end up in Unassigned Computers when they report in to the new WSUS server and need to be manually assigned to their correct group.
Thank you for the clear instructions! I´ll try that.
Excellent article…thanks!
Very clear instructions. The best I found while searching. Thanks very much.
Thanks a mil, works like a charm..
Thanks for the excellent article. My migration seems to have worked, with one exception. The clients are reporting to the new server, however are not downloading or installing newly approved updates from the new server.
Any ideas?
Hi Marc, there are two GPO settings that are relevant. One is for the server that clients will download updates from, the other is the server they will upload their statistics too. Make sure you’ve configured both of them correctly.
Hi Paul,
I do have both of these settings pointing to an alias DNS record (wsus.mydomain.com) which was an alias for the old wsus server. Upon completing the migration, I changed this DNS record to point to the new server. At first, I used the IPCONFIG /FLUSHDNS to ensure my clients were getting the new DNS information, but now, it’s been over 24 hours since the change and I’ve also tried restarting several clients. but still no luck.
The WSUS server is indicating that there are approved updates needed by these clients, however, the clients are not downloading, or installing them.
Update:
I’ve restarted the server and also reapproved the new updates a second time. Now the clients are downloading and installing the new updates.
I have howerver notice a second problem. The new WSUS server (which is a Windows 2008 server) is not able to synchronize with Microsoft. I double and tripple checked our corporate firewall and it is configured to allow this. Here’s the error I am getting:
WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Any Ideas?
Hi Marc, I haven’t experienced that problem myself but looking around it seems it is most commonly a firewall issue. What firewall are you running, and can you see whether it is allowing or denying the HTTPS requests from the WSUS server to Microsoft’s update servers?
This worked very nicely – no troubles at all. Nicely done!
thanks to the assassin! you have just made my day.
Please please help me! We ran out of space on our production webserver lastnight due to 50GB of WSUSContent, so I moved some of the content files to our file server and stopped the WSUS app pool for now.
I want to install WSUS 3.0 on another server so it won’t affect our Production Web Server.
I want to use the existing remote database on the existing remote SQL 2005 database server.
I want to keep my approvals.
I want WSUSContent to be on the D: drive on the new server instead of the C: drive where it’s at now.
Cynthia, sounds like a real problem on your hands. Here are my suggestions:
Firstly, if your web server has another disk that has enough free space for the WSUS content, you can move it to that disk by following this process:
Scenario: Moving WSUS content to a new directory or disk to free up disk space.
1. Create the new disk/volume
2. Create the new folder, eg E:\WSUS
3. Open a CMD prompt and navigate to C:\Program Files\Update Services\Tools
4. Run “wsusutil movecontent E:\WSUS e:\wsusmove.log
5. Wait
6. Delete the original WSUS content folder to free up space
For your task of moving WSUS to a new server, I would suggest the following:
1. Follow the instructions in this blog post to install a new WSUS instance on your new server, using SQL Express (ie Windows Internal Database) and specifying the correct disk to hold your WSUS content.
2. Complete the migration to the new server as show above.
3. Remove the old SUSDB from your SQL server.
4. Follow my instructions here to migrate your new WSUS database from the SQL Express instance to your remote SQL Server:
http://www.exchangeserverpro.com/2008/09/24/how-to-migrate-wsus-30-from-sql-express-to-a-remote-sql-server/
If I’m reading your comment correctly I believe this should resolve your issues.
Hi,
I have tried to migrate WSUS server as per the instructions above.
When I try to import XML file I am getting the below mentioned error
WsusMigration failed with the below exception!
Microsoft.UpdateServices.Administration.WsusInvalidServerException: Exception of
type ‘Microsoft.UpdateServices.Administration.WsusInvalidServerException’ was t
hrown.
at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()
at Microsoft.WsusMigrationTools.ImportServerStatus.ImportData(XmlTextReader r
eader)
at Microsoft.WsusMigrationTools.WsusMigrationTool.Main(String[] args)
Please advice
Regards
Hi Dheerja,
From what I can see that error occurs if the server you are trying to import to is invalid. There can be many different reasons for that, such as:
- new server not installed correctly
- wrong version of WSUS tools used
- misspelled new server name when running the command
- permissions problem accessing the new server
I’d suggest testing that the new server is functioning properly before trying again.
Hey Paul!
You beat me to it on my site – but THANKS A MILLION for this post – I cannot tell you how much time this saved me – and downloading time!
Worked great!
Cheers!
Mike
You’re welcome Mike.
Hey Paul,
Am following your method here but have run into a hitch at #7: I get the following error:
WsusMigrationExport failed with the below exception!System.Net.WebException: The operation has timed out
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.UpdateServices.Internal.ApiRemoting.ExecuteSPSearchUpdates(String updateScopeXml, String preferredCulture, Int32 publicationState)
at Microsoft.UpdateServices.Internal.DatabaseAccess.AdminDataAccessProxy.ExecuteSPSearchUpdates(String updateScopeXml, String preferredCulture, ExtendedPublicationState publicationState)
at Microsoft.UpdateServices.Internal.BaseApi.Update.SearchUpdates(UpdateScope searchScope, ExtendedPublicationState publicationState, UpdateServer updateServer)
at Microsoft.UpdateServices.Internal.BaseApi.UpdateServer.GetUpdates()
at Microsoft.WsusMigrationTools.ExportServerStatus.DumpData(XmlTextWriter dataWriter)
at Microsoft.WsusMigrationTools.WsusMigrationTool.Main(String[] args)
Have looked all over the net but can’t find any solutions, have stopped/restarted everything possible to no avail..
Hi Andrew, I’ve never seen that error before. Are you sure the WSUS server you’re trying to export is online and running properly?
Hi Paul, yeah I could still connect to it from both a local & remote console, and clients still get nagged to restart for new updates.. I had a bit of a play though in case it was the .net install, uninstalled, reinstalled 2.0 & 2.0 SP1, along with the asp.net component of IIS in various combinations and orders but the only thing I managed to achieve was to render the WSUS server itself inaccessible from the console with a
System.IO.IOException — The handshake failed due to an unexpected packet
format.
error. So I tried something else instead: I copied the DB files from the old server to the new server, stopped the Update Services service and simply replaced (detach/attach) the whole DB, complete with approvals, metadata & product/classification settings. I did have to adjust the security on the files to match the existing ones, but everything seems to be running smoothly.. hope that helps someone…
Paul,
I migrated WSUS to another server following the above steps and it seems to be working without any problems. It was the easiest migration I think I’ve ever performed. Thanks for the documentation. One question though if I may. On the drive where the database is installed, in the WsusContent folder, there are many folders being created; so far 18 this morning. These folders are quite large from 10 to 800 MB. At this rate we will be out of free space in a few days. It seems excessive since we only had 1 update needded this morning. Any Ideas?
Thanks
Hi Dave, those folders are where the update catalogs and files are stored when WSUS downloads them. I’d recommend allocating more disk space to your WSUS content drive. You can see how to move the WSUS content to another drive in a comment I wrote recently to another person on this post.
First thing: thank you
Question: Isn’t there any _easy_ way to transfer clients (and their status) as well?
I followed your steps and everything went fine (well, in lab at least). But now, when clients begin to connect, there will be a big ammount of work at wsus server and at clients… only to conclude that everything is ok.
Last thing: why *@+** microsoft almost never think that we need transfer things (services, roles, …) from old boxes to new ones: it is always a pain: exchange, wsus, PDC, …
Thanks again (and again…)
RØ
Hi Rodeca, I’ve never really considered that to be a problem so I honestly don’t know what the answer to your first question is.
For your second comment, yes sometimes it is pretty painful to migrate from server to server or update to new versions. WSUS is an example of this, but the improvements in WSUS 3.0 over earlier versions make it worth the effort.
Unfortunately this does not work when moving from Win2003 to Win2008 x64.
First .NET Framework 1.1 is needed for WSUS API Samples and Tools-installation. After installing evereything (and ignoring that .NET 1.1 is not supported) the import fails when trying to load “Microsoft.Updateservices.Administration” from GAC (File not found exception). Extracting the DLL from GAC or using those in the Update Services Setup folder and copying them to the Migration-Driectory mentioned above result in a “Bad File Format Errror”. This looks like doing it all over again (Approve evereything etc.). Microsoft still ignores that they are developing x64 systems
I had the same problem with the .net framework error on 2k8 x64, where I then exited the installation. We ended up building our server and recreating the groups and approvals, to later revisit the problem. After working with MS who verified the installation works fine on thier end, we then downloaded a fresh copy of the API samples and were able to install them with no issue or prompts about .net framework.
If you are running 64 bit dont forget to use the correct Program files directory (X86), otherwise you will get errors when running the commands above.
Just wanted to say thanks for this post. I just migrated our primary WSUS server tonight and it went very smoothly.
FYI I was going from Server 2003 32-bit with local SQL 2005 Express to Server 2008 64-bit using a remote SQL 2005 Standard server, and had no errors or problems. Since WSUS 3.0 SP2 hit this morning, I went ahead and applied that to the old server first, then used the SP2 integrated installer on the new server. We also have a replica server in a branch site, and I was able to update it to replicate from the new server without an issue.
Mark,
I read your response to Cynthia which is almost exactly what I needed to do. I did the first part using the utility to move the data, that part is done. However the original WSUS folder (27GB) on C: is still there, is it safe to just delete that once the move it is finished? I have two folders now, C:\WSUS and E:\WSUS, the idea is to fuly remove the C:\WSUS\WSUSContent on the same server and not have anymore updates go into that folder, instead go into E:\WSUS. I see the sharing of WSUSContent is automatically moved after that command finished so I believe its safe to just delete this duplicate data off C:\WSUS\WSUSContent. Is that correct?
Thanks ahead of time. Great post will recommend to others
Will
Glad you guys are all finding the post useful. Special thanks to those who have shared additional information and solutions in the comments, thats terrific.
Yep great post thanks a lot! Had to move the wsus content to another server due to shortage of space, just like others..worked a treat.
Procedure completely destroyed WSUS on an x64 server. The API/Tools installation requires .Net framework 1.1, which makes the WSUS console and update services not work anymore. The API/Tools can’t export the server settings on an x64 machine (returns an error). Had to remove WSUS completely, and start over from scratch on another server.
I migrated WSUS to another server following the above steps and it seems to be working without any problems. It was the easiest migration I think I’ve ever performed. Thanks for the documentation.
Thanks alote ….
Hey Paul,
After migration of WSUS 3.0 SP1 to the new server, We have synced the new server with the old WSUS servers and imported the configuration setting from old WSUS server to the new WSUS server after that computer group are showing but in the group no machine are listed all the machine are showing in the unassigned group, But in the old server all the computes are listed in the respective computer groups.
Do we have to manually move the machines to the respective group?
If your computers were assigned to groups via GPO that should handle it automatically. If you were using manual assignment then you’ll probably need to go ahead and redo all the assignments manually.
Thanks Paul…
Does this solution work when we have downstream servers and we need to move the primary one on the new hardware?
Hi Paul.
When I try and export the setting I get the follwing error, I see it’s the same as posted by Andrew. Any advice ?
WsusMigrationExport failed with the below exception!
System.Net.WebException: The operation has timed out
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest
request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequ
est request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodN
ame, Object[] parameters)
at Microsoft.UpdateServices.Internal.ApiRemoting.ExecuteSPSearchUpdates(Strin
g updateScopeXml, String preferredCulture, Int32 publicationState)
at Microsoft.UpdateServices.Internal.DatabaseAccess.AdminDataAccessProxy.Exec
uteSPSearchUpdates(String updateScopeXml, String preferredCulture, ExtendedPubli
cationState publicationState)
at Microsoft.UpdateServices.Internal.BaseApi.Update.SearchUpdates(UpdateScope
searchScope, ExtendedPublicationState publicationState, UpdateServer updateServ
er)
at Microsoft.UpdateServices.Internal.BaseApi.UpdateServer.GetUpdates()
at Microsoft.WsusMigrationTools.ExportServerStatus.DumpData(XmlTextWriter dat
aWriter)
at Microsoft.WsusMigrationTools.WsusMigrationTool.Main(String[] args)
Paul, I followed your procedures and it worked fine until the import step. I’m moving from a Server 2003 platform with WSUS SP2 and SQL Express 2005 installation to a Server 2008 R2 platform with WSUS SP2 and SQL Express 2008.
I got the following error:
WsusMigration failed with the below exception!
Microsoft.UpdateServices.Administration.WsusInvalidServerException: Exception of
type ‘Microsoft.UpdateServices.Administration.WsusInvalidServerException’ was thrown.
at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()
at Microsoft.WsusMigrationTools.ImportServerStatus.ImportData(XmlTextReader reader)
at Microsoft.WsusMigrationTools.WsusMigrationTool.Main(String[] args)
Not sure where the error is being created. Is there a mis-match between source and destination in configuration or just too big a jump?
Hi Gary, someone mentioned a similar issue earlier in the comments thread as well, and this is what I suggested to them:
http://exchangeserverpro.com/how-to-move-wsus-30-to-a-new-server#comment-878
I don’t know whether the different SQL Express versions would be the issue, but its a possibility. But first I would verify that the new server is functioning properly on its own, check the firewall, that sort of thing. Let us know how you go with it.
Hey Paul,
Found this page while googling. Your instructions worked perfectly for exporting/importing from a prod to test server, but let me just run it by you to see your thoughts, if you’re still checking this.
Right now we have one upstream server which gets updates from MU, and then we have 3 autonomous WSUS servers at different physical locations which sync to the upstream server. This was set up “before my time” and it’s my goal to move these 3 servers into a replication model so I don’t have to approve 50-60 updates per server each time we have a patch cycle (we do quarterly patching). In the new system, these 3 servers would be replicas and all groups and updates would be pushed from the upstream server.
My current plan, using your instructions here, is to export xml files from these 3 autonomous servers, disable WSUS services on them, and then import them into the existing upstream server. I would then re-enable the 3 WSUS downstream servers in replica mode. In theory (in my head), the new replicas will then sync with the upstream which now holds all computer groups and approvals. We have a ton of groups and thousands upon thousands of approvals set, so “starting over” isn’t really an option here. Do you think this plan will work out?
Thanks a lot, i followed ur steps and it was sucessfull which saved my time.
Just like to share one more thing, when i deployed WSUS on new server it created computers groups but not the computers, the computers will be populated once the users connect to ths new server after GPO change. Which would agian be manual task to move compuetrs based upon OU and time consuming.
I got one free to download tool which will help to migrate computers from old server to new WSUS server.
https://www.eminentware.com/cs2008/media/p/430.aspx
So in answer to the folks who had the exception with the import on a Windows 2008/Windows 2008 R2… be sure to run your command prompt using ‘Run as Administrator’ and it works like a charm!
I ran through this process and it seemed to work well. I have a couple questions:
1. I am assigning target groups via GPO; however, as clients cotnact the new WSUS server, they are being put in the Unassigned group. What did I do wrong?
2. What do I need to look for to verify a successful connection to the new server?
Thanks,
jeff
Hi Jeff, if you’ve set up group assignments in your GPOs make sure the WSUS server is also configured to use GPO group assignments and not manual assignments.
You can use the WSUS Client Diagnostic Tools from Microsoft to test connections to the server.
When you make the “New” server a replica server, this mirror’s all approvals, settings, computers and groups from the parent.
So why do you have the run the script to export/import approvals and groups, as these should of been sychronized already?
Or the procedure of converting a replica server to a stand-alone server, remove these approvals and groups?
To those saying it doesn’t work on Windows Server 2008 x64, there have already been a few people posting they’ve done it successfully. I’m happy to say that so have I (at least it seems that way). We’ve gone from a physical 2003 x86 machine to a virtual 2008 x64 SP2 machine.
When trying to install “WSUS API Samples and Tools” I received the message “This setup required .net framework version 1.1.4322″.
I tried to install it using: https://www.microsoft.com/downloads/details.aspx?FamilyID=262d25e3-f589-4842-8157-034d1e7cf3a3&displaylang=en
I received a warning regarding compatibility issues. I took a snapshot of the VM, then proceeded to install it anyway. The export/import of settings seemed to work fine.
The only oddity at the moment is that despite using GPOs successfully in the past for client side targeting (putting clients in to computer groups) on the old WSUS server, this doesn’t appear to be working on the new WSUS server.
I cloned the original GPO, modifying only:
“Set the intranet update service for detecting updates”
“Set the intranet statistics server”
to reflect the new server.
Despite this, and using gpupdate /force and rebooting the clients multiple times, they remain in the unassigned group on the new server. They report their update status to the new WSUS server without issue.
Hmmm.
Ah, the solution had already been posted – make sure your WSUS server is set to “Use Group Policy or registry settings on computers”.
http://dl.dropbox.com/u/273709/wsusdoh.png
Why doesn’t it include in this setting in the settings migration? Doh!
So, 2003 x86 -> 2008 x64, all good!
Many thanks