Migrating WSUS from one Server to another
WSUS is running in your infrastructure for many years, and is doing a pretty good job at patching your clients and your servers, but now has come to a point where you need to migrate it to a new box. This usually happens when the OS is at the end of life support (EOL) or the hardware has reached the warranty limit. Another reason why migrate and not start with a new installation is so you don’t have to download from Microsoft the required updates and approve them all over again. I don’t know about you, but approving hundred of updates is not something I will do for a second time. In either case, the service needs to be migrated with minimal downtime and not to much headache.
To simulate this, I installed one WSUS service on a 2003 server, and this one is the WSUS that is patching the infrastructure right from the beginning. I named it WSUS-OLD for the sake of the example and for you to better follow the migration procedure. If your WSUS is not running on a 2003 server, no problem, this works with every OS version you might have. The second WSUS server will run on a 2012 R2 server and this will replace the old WSUS. I’m going to name the new server WSUS-NEW, again, for the sake of the example. Both of them are installed with a local database, but in case yours are configured with a remote SQL, don’t worry, it works either way the same. You can have your old WSUS with a local database and the new WSUS with a remote SQL server or vice versa.
Now, on the new server go ahead and install WSUS and when you get to the configuration wizard set it as a downstream replica server; point it to your working WSUS.
[notice]If there is a firewall between the two WSUS servers you will need to open the proper port (80, 8530 or 443) in order for them to be able to communicate. [/notice]
Start connecting to save and download upstream server information.
At the end of the configuration wizard choose to begin the initial synchronization then click Finish. Be patient, it will take a while.
Once the synchronization is done your two WSUS servers should look almost the same.They should have the same computer groups, approved updates, downloaded updates, etc.
One thing they are not synchronizing are the configuration options, and unfortunately these configurations will need to be done manually. Don’t worry, it’s a two minute job, but before you can do that the new WSUS server needs to be set in an autonomous mode. Go to Options > Update Source and Proxy server and un-check the box This server is a replica of the upstream server then click the radio button Synchronize from Microsoft Update.
Now you can go ahead and match the rest of the options with the old WSUS server, like Products and Classifications, Update Files and Languages, computers assignment, E-Mail Notifications.
Once the options between the two servers match, the last step is to modify your group policy in order to point your clients to the new WSUS server. Open your GPO or GPOs and change the server name from the Specify intranet Microsoft update service location policy.
After a few hours, clients should appear in the WSUS console at the exact same patch level they were on the old WSUS server. If you want to force the process on one or two of the clients just to see if it actually works do a gpupdate /force to get the new policy then type wuauclt /detectnow and wuauclt /reportnow to force checking for updates and to report to WSUS. Wait a few days, and if everything is working fine you can go ahead and decommission the old box. And that’s it !
Migrating WSUS to a new server is not a difficult process and it can be done with minimal downtime. The hard part is to wait for all the clients to get the new policy and register themselves with the new WSUS server. Everything after that is the same as it was before, approve/decline updates and patch the systems in your environment.
Want content like this delivered right to your
26 thoughts on “Migrating WSUS from one Server to another”
Anyone having the same issue –
You may need to add the new port that WSUS uses since Svr2012, rather than just the server name. 2003 and 2008 use standard 80 and 443 ports so do not need specifying.
http://WSUSSERVER:8530 and not just http://WSUSSERVER as this will communicate on 80 and 443
Yes, you are right, starting with server 2012 by default WSUS configures itself on port 8530. I guess Microsoft did this so it would not be any conflict with other web sites that might exist on the server. I don’t know, just saying. This is not a big issue since everything works great with this port also, just need to remember to set it up in the GPO.
thanks a lot bro, this worked like a charm!
Had to ‘dismiss’ a very bitchy WSUS (2016 Datacenter) serving ~100 clients and 20 servers.
Our new ’employee’ is doing a way better job now. ^_^
Have a good time!
Thank you. I’m glad I could help out.
Can you please help me if the below scenario will work or not?
1) My existing wsus server name WSUS-A.dev.internal(2012 R2)
2) Renamed it to WSUS-A-OLD.dev.internal
3) Deployed new 2016 server WSUS-A.dev.internal
4) On the new server go ahead and install WSUS and when you get to the configuration wizard set it as a downstream replica server; point it to WSUS-A-OLD.dev.internal
Will this work without any issues so that i don’t need to make any changes in my GPO to point to new WSUS server?
Thanks in advance
In theory it will work, but in practice is something else. There is always something that can go wrong. Before doing this make sure you have backup, then go ahead and do it. Let me know how it works.
I am unable to change the new WSUS server from synchronizing from another WSUS server to synchronizing from Windows Update. The interface just crashes and throws the following error:
Event ID 7042
System.Data.SqlClient.SqlException — Maximum stored procedure, function, trigger, or view nesting level exceeded (limit 32).
Info:spSetConfiguration – SyncToMU or UpstreamServerName config value changed – no reset
Have you seen anything like this?
Not the error in particular, but check and see so the server does not synchronize during your operation. If it does, stop the synchronization.
Just tried this method and now the PCs don’t seem to be able to connect to WSUS anymore. If I manually try checking for updates I get an error “Windows could not search for new updates. Code 80244019”, tried this on just two computers so far but a bit worrying. The only difference from your instructions was that I switched off the old server (2008) and changed the IP address of new server (2012) to match the same as the old so I didn’t have to change the GPOs. Could this be the problem?
Yes, the GPO is the problem. It does not matter if the new WSUS server has a different IP address or name. All that matters is to configure the GPO to point the clients to the new WSUS server.
Thank you bro. You save my life.
I migrated our windows 2003 wsus server to windows 2012r2 wsus. It’s a fresh install and wsus 2012 was installed and configured as a downstream replica server with local WID database. I did not copy the DB from 2003 to 2012. The sync was successful with upstream server. I changed our GPO to point to the new wsus 2012 server and rebooted the server. New setting is being applied via GPO. I did a detectnow and see a buch of errors in log.
I’m wondering do i need to to change the wsus2012 server identity as per the link below for clients to check in?
Never heard of this. Usually all you have to do is change the URL in the GPO where clients connect and you are good to go. What errors are you seeing in the log?
Did you find a resolution for this?
I’m looking at your instructions and it is pretty simple to carry out. Can i safely say the “Migrate WSUS Update Binaries from the Source Server to the Destination Server Using Windows Server Migration Tools”(https://technet.microsoft.com/library/ee822836(ws.10).aspx) has been done using your method?
I’m actually planning to migrate 2003 R2 to 2012 R2 thus trying to figure out all necessary actions.
Thanks in advance.
I never tried using the tool, but if you do, I will appreciate if you post the results here so others can benefit form this.
What a clever way to migrate!
Thank you 🙂
The last Point as you wrote dit not work:
Options > Update Source and Proxy server and un-check the box This server is a replica of the upstream server then click the radio button Synchronize from Microsoft Update.
The Radio button to Switch to Synchronize from Microsoft Update is greyed out and can’t be set!
Settings can’t be changed usually when WSUS is synchronizing. Make sure there is no running job and try again.