Share via

WSUS drive requirements

  • Article
  • 01/11/2018

Question

Thursday, January 11, 2018 5:32 PM

I have a WSUS server with a 250GB data drive, and it keeps filling it up, and stops working when it does.  I've seen the requirements for WSUS, and they claim it only needs 30GB of storage, but I find that to be completely false.  It downloaded 50GB more data in just 3 months back when I last expanded the drive, and the current folders in the WSUSContent folder only date from September 2017 to January 2018.  (My predecessor also put the SQL DB on the same drive as the data cache, which I think contributes to the server quitting when the drive fills up.)  It also claims to need only 2GB for the SQL database, but ours is over 8GB.  Microsoft's requirements listing seems to be very wrong.  

I'm also going to have to rebuild this thing because it has almost completely stopped working.

So, what drives do I need (I'm already thinking a 16GB drive exclusively for the SQL DB and a separate data caching drive) and how much space should I use for it?

All replies (24)

Thursday, January 11, 2018 5:49 PM

Don't rebuild - WAM will fix your issue. Show me the link where MS says where only 30GB is required? My WSUS_Content folder is right now at 94GB and holding steady between 90-120GB over the last year (using WAM to keep it clean, lean and mean!).

Please have a look at the WSUS Automated Maintenance (WAM) system. It is an automated maintenance system for WSUS, the last system you'll ever need to maintain WSUS!

https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsus

What it does:

  1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
  2. Remove all Drivers from the WSUS Database (Default; Optional).
  3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
  4. Remove declined updates from the WSUS Database.
  5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
  6. Compress Update Revisions.
  7. Remove Obsolete Updates.
  8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
  9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
  10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
  11. Run the Recommended SQL database Maintenance script on the actual SQL database.
  12. Run the Server Cleanup Wizard.

It will email the report out to you or save it to a file, or both.

Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

.\Clean-WSUS.ps1 -FirstRun

If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Friday, January 12, 2018 5:29 PM

Here's where I saw Microsoft's requirements:  https://technet.microsoft.com/en-us/library/dd939928(v=ws.10).aspx

It says specifically: "Minimum 20 GB of free space on the volume on which updates are stored; however, 30 GB is recommended."

Which seems to me to be pretty BS.

I'll try what you post here and see what I can get going.  My old WSUS server is pretty horked at the moment, with constant CPU activity and pretty much nonresponsive to WSUS requests.  So, I'm not hopeful.

Friday, January 12, 2018 5:54 PM

The new server I just set up is being pretty annoying, too.  I just set up WSUS, and just trying to bring up the sync history in the Update Services, and it times out.  It won't do hardly anything.

Friday, January 12, 2018 6:53 PM

Run WAM. I will make you a believer :)

FYI: Your link explicitly is for WSUS 3 and:

Applies To: Windows Server Update Services, Windows Small Business Server 2011 Standard, Windows Server 2008 R2, Windows Server 2003 with SP2, Windows Server 2008 R2 with SP1

WSUS 4+

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment#BKMK_1.1

Available disk space: 10 GB (40 GB or greater is recommended)

Diskspace of 10GB would be for a metadata database only - not storing update files on WSUS and having all clients download them directly from Microsoft after being approved on the WSUS Server.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Friday, January 12, 2018 7:43 PM

Yes, that is the version of Windows (2008r2) and WSUS (3.0 sp2) that I am using.  

Friday, January 12, 2018 9:32 PM

Yeah, no good.  Restoring the old WSUS server from Sunday's backup now.  The script wouldn't even run on it.  As for the new one, I've uninstalled the WSUS role and I'm going to install SQL Server 2008 and then try using WSUS from there.  To be unusable from a clean install is just too bad.  There are some things Microsoft is really bad with.

Friday, January 12, 2018 10:36 PM

Yeah, no good.  Restoring the old WSUS server from Sunday's backup now.  The script wouldn't even run on it.  As for the new one, I've uninstalled the WSUS role and I'm going to install SQL Server 2008 and then try using WSUS from there.  To be unusable from a clean install is just too bad.  There are some things Microsoft is really bad with.

No good wiith WAM? what happened? Did you follow the prerequisites?

WAM works with 2008+. Don't give up on WAM. Get it working and you'll be amazed with what it does. If you need help getting it working, I'll help you.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Friday, January 12, 2018 10:39 PM

And as for the WSUS Requirements - MS has not really updated them for such an old product (2008 WSUS). Technically it's over 2 versions behind now that Server 2016 is out, so I don't see them updating the page any time soon.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Friday, January 12, 2018 11:11 PM

I think it was mostly because of the horrible shape of the old WSUS server.  I have no idea what went wrong with the new one.  It wouldn't actually do anything with WSUS.  I think the install went wrong somewhere.  

Saturday, January 13, 2018 1:37 AM

I think it was mostly because of the horrible shape of the old WSUS server.  I have no idea what went wrong with the new one.  It wouldn't actually do anything with WSUS.  I think the install went wrong somewhere.  

As long as the prereqs are met, I've only seen 1 time where it couldn't fix the issues and that user had to reinstall WSUS with a blank slate.

If you want to put in a little bit of effort, I'd love to try to help you get it up and running - both on the old and the new.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Thursday, January 18, 2018 5:56 PM

I have now created about a dozen VMs, running both 2008 and 2012, both on our AD and off, and both on our network and directly connected to our DSL, and I keep running into the same behavior over and over and over again.  As soon as the WSUS role is installed, I go to the next step of opening the MMC console to configure things, I set it to just pick up Server updates, all other updates unchecked, and then go to the sync page to get it to sync once.  The system doesn't seem to do anything, and the console hangs when trying to bring up anything other than the options.  Even with a brand new sync history and only one entry, the request times out and all I can do is click "reset server node". 

Nothing works.  It is driving me nuts.  

Oh, and that script just comes back with an error that starts with "You must use -SaveReport or -MailReport if you are not going to use the pre-defined routines" when I try to run it.  It does nothing.  I've tried changing the execution policy to allow running everything, and that doesn't make any difference.  

Thursday, January 18, 2018 6:00 PM

Oh, and that script just comes back with an error that starts with "You must use -SaveReport or -MailReport if you are not going to use the pre-defined routines" when I try to run it.

Then you're executing it WITHOUT any added options - just like it says - you're not using any of the pre-defined routines (-FirstRun, -ScheduledRun, -DailyRun, -MonthlyRun, -QuarterlyRun) and so you must use the -SaveReport or -MailReport with your options.

DON'T

.\Clean-WSUS.ps1

DO

.\Clean-WSUS.ps1 -FirstRun

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Thursday, January 18, 2018 6:07 PM

Yeah, that didn't help either.  I get several errors:

Get-ItemProperty : Cannot find path 'HKLM:\Software\Microsoft\Update Services\Server\Setup' because it does not exist. (twice)

Test-SQLConnection : Cannot bind argument to parameter 'ServerInstance' because it is an empty string.

Exception calling "GetUpdateServer" with "3" argument(s): "Unable to connect to the remote server"

ERROR Connecting to the WSUS Server: cc-wsus.captcolo.com. Please check your settings and try again.

Thursday, January 18, 2018 6:24 PM

Yeah, that didn't help either.  I get several errors:

Get-ItemProperty : Cannot find path 'HKLM:\Software\Microsoft\Update Services\Server\Setup' because it does not exist. (twice)

Test-SQLConnection : Cannot bind argument to parameter 'ServerInstance' because it is an empty string.

Exception calling "GetUpdateServer" with "3" argument(s): "Unable to connect to the remote server"

ERROR Connecting to the WSUS Server: cc-wsus.captcolo.com. Please check your settings and try again.

Well that would make sense because you mentioned that it is NOT finishing the post install - which means that the WSUS Server is not yet fully setup. WAM is for working WSUS Servers. If you have that old WSUS Server still operational, use it there.

If you don't, setup whatever server, proceed with your config - go to the sync page to get it to sync once.

Come back at it 8-48 hours later! FirstSync is ALWAYS horrid.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Thursday, January 18, 2018 6:44 PM

That is with the old-n-busted server that was operating until about 10 days ago.

Thursday, January 18, 2018 6:49 PM

The new server, I just retried clearing everything and reinstalling the roles to see if I can work through the errors.  First, when I reinstalled the roles, it did not recreate the "c:\program files\Update Services\Tools" folder, so it couldn't execute the wsusutil.exe to start the post installation.  So, I restored just that, and it recreated the folder structure, but then failed because it wouldn't recreate the susdb in the internal database.  I'm thinking I may use a SQL server for it instead, but I'm not sure how to set that up.  I have a working SQL server I can use, or I can install SQL express on the WSUS server, whichever might work better.  

Thursday, January 18, 2018 6:52 PM

Then WSUS on this system is not installed. Look at the registry on the server. What that error is telling me is that that Key does not exist. If that key doesn't exist, the WSUS Services are not installed/configured.

You should see a bunch of properties in that key - something like:

=============================
WSUS Registry Path
=============================
TargetDir                  : C:\Program Files\Update Services\
Version                    : 5
SqlEncryptedPassword       :
InstallLanguage            : ENU
ServicePackLevel           : 0
IISInstallRevision         : 6.3.9600.18694
ConfigurationSource        : 0
VersionString              : 6.3.9600.18694
SqlUserName                :
EnableRemoting             : 1
ContentDir                 : C:\WSUS
SqlAuthenticationMode      : WindowsAuthentication
SqlDatabaseName            : SUSDB
SqlServerName              : MICROSOFT##WID
WsusAdministratorsSid      : <SID>
WsusReportersSid           : <SID>
IIsDynamicCompression      : 0
IISTargetWebSiteIndex      : 1395663200
IISTargetWebSiteCreated    : True
IISUninstallConfigFilePath : C:\Program Files\Update Services\setup\UninstallSettings.xml
IISPreviousInstallRevision : 6.3.9600.16384
UsingSSL                   : 1
PortNumber                 : 8531
HostHeader                 :
EncryptionParam            : <ENC>
EncryptionKey              : {1, 0, 0, 0...}
ServerCertificateName      : <CERT>
PSPath                     : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup
PSParentPath               : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server
PSChildName                : Setup
PSDrive                    : HKLM
PSProvider                 : Microsoft.PowerShell.Core\Registry

Specifically my script looks at: SQLServerName, PortNumber, and UsingSSL

Also, re-confirm that you do have the required prerequisites installed as per the top of my script (SSMS/PowerShell 4)

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Thursday, January 18, 2018 6:56 PM

The new server, I just retried clearing everything and reinstalling the roles to see if I can work through the errors.  First, when I reinstalled the roles, it did not recreate the "c:\program files\Update Services\Tools" folder, so it couldn't execute the wsusutil.exe to start the post installation.  So, I restored just that, and it recreated the folder structure, but then failed because it wouldn't recreate the susdb in the internal database.  I'm thinking I may use a SQL server for it instead, but I'm not sure how to set that up.  I have a working SQL server I can use, or I can install SQL express on the WSUS server, whichever might work better.  

Stay away from SQL Express - you'll end up wanting to move to WID later due to space issues (Express has hard limit and WID has no limit with regards to WSUS). Perhaps your method of removing needs to be looked at.

To remove WSUS completely, you need to:

  1. Remove WSUS Role and Windows Internal Database (WID) Feature.
  2. Remove C:\WSUS or where ever the WSUSContent folder resides.
  3. Remove C:\Windows\WID (specifically: delete the SUSDB.mdf and SUSDB_log.ldf in C:\Windows\WID\Data). If you don't remove the WID role and its files on a reinstall, it will re-attach to the same database.
  4. In IIS, remove the 'WSUS Administration' website and the 'WsusPool' Application Pool if they still exist.
  5. Restart the server and re-add the WSUS And WID Roles. Let it install, and then restart the server again.
  6. MAKE SURE .NET 4.7 IS NOT INSTALLED (it comes as a KB number for your server OS, not an add/remove programs installation.) The WSUS post-installer is not compatible with .NET 4.7 and will always error out. Once WSUS is installed and working, .NET 4.7 can be reapplied and WSUS should still work.

Now try to do the post-installation configuration.

If this doesn't work, disjoin the server from the domain, and restart. Try the post-installation steps again. If it works, the issue is a policy on your domain that is causing the issues. You can then rejoin the server to the domain.

After you've removed WSUS completely following the instructions above, you can then go ahead and install it again if you so choose.

Adam Marshall, MCSE: Security
http://www.adamj.org
Microsoft MVP - Windows and Devices for IT

Thursday, January 18, 2018 7:03 PM

On the new server, I was able to recreate the susdb manually through SSMS.  It seems to have finished the post installation tasks.

Thursday, January 18, 2018 7:07 PM

Ah, on the old server, I found the glitch I was running into.  I apparently hadn't been running the powershell window as administrator.  I thought I did, but apparently I didn't.  Once I closed it and reran it as admin, it started running the script.

Thursday, January 18, 2018 7:19 PM

The old server finished running the "-firstrun" part pretty quickly, far less than the 8-48 hours you said, but it is actually pulling up the list of updates now.  I can finally approve things again.  

Thursday, January 18, 2018 7:35 PM

I'll have more detailed documentation for this procedure when I can, but on a really basic level, it goes like this: remove the WSUS role and internal database feature; copy C:\Windows\WID, c:\program files\update services, and your WSUS content folder elsewhere so Windows can't see it, preferably an external network share; reinstall the WSUS role and internal database feature, restore the c:\program files\update services\tools folder ONLY; run SSMS "as administrator" and connect to the internal database and then create the SUSDB database; run "wsusutil postinstall content_dir=<your content directory>"; and finally run the WSUS MMC console to finish the post install tasks.

That only took me 3.5 days to figure out.

Thursday, January 18, 2018 7:56 PM

I was finally able to figure out most of what screwed up the old WSUS server:

  1. the database was put on the same drive as the WSUS content, so when the drive ran out of space (which happened many times) the database was not fully able to update.  I have not put in effort to fix this.  We'll be replacing it anyway.

  2. the dope who set this thing up before set it to sync 24 times per day, so the SUSDB was filling up with sync history.  It is up over 9GB in size, which is probably what is making it take so long to look things up.  I have reduced it to sync once per day.  Not sure what I can do to reduce the DB size.  

Thursday, January 18, 2018 8:37 PM

For those that need it, here is a more formal process:

To rename WSUS 2012r2 server:

  1. Remove the WSUS role and the Windows Internal Database feature (do not reboot yet)
  2. Rename the machine and reboot
  3. Delete the folders "C:\Windows\WID" and the old WSUS content folder
  4. Move the folder "C:\Program Files\Update Service\Tools" elsewhere and delete the rest of the contents of C:\Program Files\Update Services"
  5. Install SQL Server Management Studio if it isn't already installed
  6. Reboot
  7. Reinstall the WSUS role, and the internal DB if preferred
  8. Move the "C:\Program Files\Update Services\Tools" folder back into its original location
  9. Use SSMS, run as administrator, to connect to "\.\pipe\MICROSOFT##WID\tsql\query" with windows authentication
  10. Create a database on the internal database engine called "SUSDB" (this IS case sensitive!)
  11. From an administrator command prompt or powershell, run "C:\Program Files\Update Services\Tools\wsusutil.exe postinstall content_dir=<your content directory>"
  12. Run the WSUS MMC console, which should guide you through the rest of the WSUS setup and run the first synchronize
  13. Run the AdamJ's Clean-WSUS script with the "-FirstRun" flag

To reset a WSUS 2012r2 server:

  1. Remove the WSUS role and the Windows Internal Database feature (do not reboot yet)
  2. Delete the folders "C:\Windows\WID" and the old WSUS content folder
  3. Move the folder "C:\Program Files\Update Service\Tools" elsewhere and delete the rest of the contents of C:\Program Files\Update Services"
  4. Install SQL Server Management Studio if it isn't already installed
  5. Reboot
  6. Reinstall the WSUS role, and the internal DB if preferred
  7. Move the "C:\Program Files\Update Services\Tools" folder back into its original location
  8. Use SSMS, run as administrator, to connect to "\.\pipe\MICROSOFT##WID\tsql\query" with windows authentication
  9. Create a database on the internal database engine called "SUSDB" (this IS case sensitive!)
  10. From an administrator command prompt or powershell, run "C:\Program Files\Update Services\Tools\wsusutil.exe postinstall content_dir=<your content directory>"
  11. Run the WSUS MMC console, which should guide you through the rest of the WSUS setup and run the first synchronize
  12. Run the AdamJ's Clean-WSUS script with the "-FirstRun" flag