I work on a network that is completely isolated from the internet. Therefore, I need to have two WSUS servers; one connected to the internet, which harvests the updates and the metadata, and the second on the isolated LAN. If you’re in the same situation, read below.
Each week, check for updates on the internet connected WSUS server and approve if needed. Once the content has finished downloading, export the metadata and the content data to an external storage device. Sneaker-net copy it to the isolated network, import the metadata into the WSUS server, and copy the content data into the WSUS content directory.
If you’re finding that the updates on your disconnected WSUS server are not downloading after you imported the metadata and copied the files to the server, check the following:
- The WSUSContent directory should be in exactly the same location on both servers. If on WSUS server #1 the directory path is C:\WSUS\WsusContent it should be the same on WSUS server #2. If you have the updates going to a different drive letter or folder, then the metadata in the database from server #1 will not point to the right place when you import it into WSUS server #2. You can run C:\Program FilesUpdate ServicesToolswsusutil.exe help movecontent as a possible solution.
- Make sure Store update files locally on this server is selected
- If you have express files one one server, you need to have them on the other server.
- Make sure Download update files to this server only when updates are approved is checked
- Make sure the language settings under Options=>Update Files and Languages are exactly the same on both servers.
Bottom line is, make sure these settings are the same on both servers. If you check additional languages, you will need to go back to your internet connected WSUS server and re-download those versions of the files. You will then need to copy those files to the disconnected WSUS server.
When you approve the updates on the internet connected server, they will not be approved on the disconnected server (the approvals are not stored in the metadata). You’ll have to re-approved the updates on the disconnected WSUS server as well.
I did notice when you approve an update on the disconnected WSUS server, it appears as if the server has to download the updates from itself. If you click between one of the Update views and the Server Name where the “Updates needing files” count is displayed, it will refresh the updates needing files count.