Synchronization of WSUS Updates to a Locked Down WSUS Server

Quick post here. Lets start by thinking about about a case where you have a WSUS server that does not and cannot have access to the internet or other WSUS servers.

For most people this is probably not a very common scenario but I have a couple customers who have some Data Center’s that have no internet connectivity or a subset of their Data Center has no internet connectivity. This is normally not a big deal if you can at least punch a hole outbound for the WSUS server to get to an upstream update server or out to Microsoft except for the rare case where you cannot even do that.

That said, there is a solution where you can actually export the update content and associated metadata from an update server and then physically transport this data to the super locked down location. This update content and metadata can then be synchronized into the locked down update server.

Here’s how:

  1. Prepare your online WSUS server to have all of the content you require and synchronize it with Microsoft.
  2. Copy all of the content from the source WSUS server (by default the content directory is at C:\Program Files\Update Services\WsusContent) to external media.
  3. Run “WsusUtil.exe export export.log” on the source server to export the database metadata.
  4. Copy and export.log to the external media your will be physically bringing into the super locked down location.
  5. Get the external media to the secure location and copy the contents of WsusContent to the WsusContent directory of the destination WSUS server (by default the content directory is at C:\Program Files\Update Services\WsusContent).
  6. Copy and export.log to the C:\Program Files\Update Services\Tools directory (this directory may be differnet depending on your installation).
  7. Run “WsusUtil.exe import export.log” on the destination server to import all of the update metadata into the database.

Note: the metadata import above can take quite some time to run depending on how many updates you are dealing with  – I was dealing with a relatively trim 40GB content directory and this took a good 15 minutes to run, it also hit the local SQL server pretty hard.

And now you have new update content on your “Super locked down WSUS server” :-)