Install WSUS and KMS on



Infrastructure & Operations
6 years ago
5 years ago


(Reporter: dustin, Assigned: dustin)




This server will serve updates and licenses to all Windows hosts in the Mozilla forest.
Depends on: 790691
KMS is stalled on getting a KMS key - bug 790691.
Depends on: 790719
Depends on: 791006
KMS is still stalled.

I'll start rolling out WSUS on the servers using GPO.
For the KMS key:

ETD 9/27

Hopefully Ann can figure out what we need, or has a login to find what we need.
Blocks: 792995
No longer blocks: 792995
I bumped KMS out to bug 792995.  This will track finishing WSUS.
I just added a WSUS GPO to the domain controllers to point them to WSUS.  There are two GPOs for WSUS now:

 WSUS - download and prompt
 WSUS - no updates

the latter is for slaves.  The former is probably best everywhere else.  If we decide we want things randomly rebooting (fun! excitement!) we can add a third to enable that.

Still need to figure out how to add a machine to a WSUS group based on its OU - if that's even possible.
The client-side group configuration for WSUS is called "client-side targeting":

I made a GPO entitled "WSUS - client - Domain Controllers" that puts hosts in the "Domain Controllers" group in WSUS.  I linked this to the "Domain Controllers" OU in  Now, we wait.
The "WSUS - client - download and prompt" GPO worked great.  Settings are locked in on the DC's now.

The client-side targetting did not.  Error 80072ee6.  Add another swift kick to the head for the microsoft engineers for still using numeric error codes.
suggests this means that the WSUS client on the DC is too old to talk to this WSUS box, meaning I need to update against Microsoft once first.  Let's hope that's not the case.
recommends looking in windowsupdate.log (start -> run seems to find it).
OK, the problem there was a missing http:// on the WSUS server hostname in GPO.  I added that, and it's now checking for updates from  However, it's still in the wrong group on that server (Unassigned Computers) and listed as "Not Yet Reported" (which may be because I only did a force check, rather than a timed check?)
points out that client-side targetting needs to be enabled on the client machine.  Duh :)
OK, that seems to work.  I documented the GPOs for this here:

Now it just remains to build a WSUS box from a bare-metal install using GPO.  That's lower-priority than other things, though.
Severity: normal → minor
..which is bug 798596
Last Resolved: 6 years ago
Resolution: --- → FIXED


5 years ago
Depends on: 839626
Component: Server Operations: RelEng → RelOps
Product: → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.