Windows Server Core (on Windows Server 2019) is a great way to reduce the performance and security footprint of your servers. The operating system itself is minimalist and provides no GUI except for a command prompt, and some basic windows and tools.
All administration on Server Core must be performed via the command prompt, powershell, or remote administration tools (such as Server Manager, or the new Windows Admin Center.
Server Core provides a fantastic foundation for Windows Server Roles (roles that are integrated in the operating system), and can be installed with ease, managed remotely, and managed easily. It’s also nice too because you can allocate less CPU and RAM to virtual machines running Windows Server Core.
Getting started may be a bit tricky as you might need to learn and verse yourself with some commands, powershell, and remote management kung-fu, but overtime it’s easy!
I think I can speak for most admins out there when I say that a WSUS deployment typically consists of a single VM, with the WSUS, IIS, and WID roles installed.
WSUS is usually CPU and RAM intensive (when doing synchronizations), requires disk space, and doesn’t do much else. Because of the spikes, we usually keep this VM separate and don’t mix it with other LoBs or roles, with the exception of perhaps a file server.
Whether or not your VM runs WSUS alone, or also as a file server, since both of these roles are “Windows Roles and Features”, they are perfect to deploy on a Windows Server Core install.
There should be little administrative requirement on the WSUS server, other than re-indexing scripts, and cleanup scripts which can easily be ran from the command prompt, and the occasional Windows Update that will be installed.
Because you don’t require any 3rd party software, management consoles, or GUI related elements, it’s perfect for Server Core. By skipping on the GUI and applications, you’ll be able to allocate that memory, for WSUS/IIS itself.
Install-WindowsFeature UpdateServices -Restart
"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
You’re done!
Don’t forget to regularly re-index your WSUS database and perform the routine maintenance!
While most of us frequently deploy new ESXi hosts, a question and task not oftenly discussed is how to properly decommission a VMware ESXi host. Some might be surprised to… Read More
This guide will outline the instructions to Disable the VMware Horizon Session Bar. These instructions can be used to disable the Horizon Session Bar (also known as the Horizon Client… Read More
Normally, any VMs that are NVIDIA vGPU enabled have to be manually migrated with manual vMotion if a host is placed in to maintenance mode, to evacuate the host. While… Read More
You may experience GPU issues with the VMware Horizon Indirect Display Driver in your environment when using 3rd party applications which incorrectly utilize the incorrect display adapter. This results with… Read More
Today we're going to cover a powerful little NAS being used with VMware; the Synology DS923+ VMware vSphere Use case and Configuration. This little (but powerful) NAS is perfect for… Read More
Today we'll go over how to install the vSphere vCenter Root Certificate on your client system. Certificates are designed to verify the identity of the systems, software, and/or resources we… Read More
View Comments
hi when i tey to do the 4th setp
"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
i get the following error aill you advice
PS C:\Windows\system32> "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
At line:1 char:55
+ ... Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT ...
+ ~~~~~~~~~~~
Unexpected token 'postinstall' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
PS C:\Windows\system32>
Hi, Stephen.
I used your instructions but used PowerShell from a remote machine. It may help if you have to do it again in the future. :)
$WsusServer = "WsusGui"
# Install the WSUS role on the target WSUS server
Install-WindowsFeature -ComputerName $WsusServer -Name UpdateServices -IncludeManagementTools -Restart
# Create the directory for WSUS
Invoke-Command -ComputerName $WsusServer -ScriptBlock { New-Item -Name WSUS -Type Directory -Path C:\ -Force | Out-Null }
# Run the post installation task command to configure WSUS
Invoke-Command -ComputerName $WsusServer -ScriptBlock { Start-Process -FilePath "C:\Program Files\Update Services\Tools\wsusutil.exe" -ArgumentList "postinstall CONTENT_DIR=C:\WSUS" -Wait -NoNewWindow }
# Enable remote IIS management
Install-WindowsFeature -ComputerName $WsusServer -Name Web-Mgmt-Service
# Create a firewall exception (if needed) by running the following command in PowerShell
# !!! Also try this? New-NetFirewallRule -CimSession $WsusServer -Name "IISRemote management" -DisplayName "IISRemote management" -Description "IISRemote management" -Enabled True -Profile Domain -Action Allow -Direction Inbound -Service "WMSVC"
Invoke-Command -ComputerName $WsusServer -ScriptBlock { Start-Process -FilePath C:\Windows\system32\netsh.exe -ArgumentList 'advfirewall firewall add rule name=”IIS Remote Management” dir=in action=allow service=WMSVC' }
# Enable remote IIS management in the registry
Invoke-Command -ComputerName $WsusServer -ScriptBlock { New-Item -Path "HKLM:\SOFTWARE\Microsoft\WebManagement\Server" -Name Favorites -ItemType Directory -Force | Out-Null }
Invoke-Command -ComputerName $WsusServer -ScriptBlock { New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WebManagement\Server" -Name "EnableRemoteManagement" -PropertyType DWord -Value "00000001" -Force }
# Configure the Service WMSVC to start automatically and start the service
Get-Service -ComputerName $WsusServer -Name WMSVC | Set-Service -StartupType Automatic
Invoke-Command -ComputerName $WsusServer -ScriptBlock { Start-Service -Name WMSVC }
# Set the Private Memory Limit (KB) for the WSUS Application Pool to 0 (zero) and reset IIS
Invoke-Command -ComputerName $WsusServer -ScriptBlock { Set-WebConfiguration "/system.applicationHost/applicationPools/add[@name='WsusPool']/recycling/periodicRestart/@privateMemory" -Value 0 }
Invoke-Command -ComputerName $WsusServer -ScriptBlock { iisreset }
After step 6, I cannot connect using IIS Manager as I continually get "The underlying connection was closed. An unexpected error occurred on a send"
Running [net.servicepointmanager]::securityprotocol on both 2019 server core and my window 10 build 1809 show "Tls, Tls11, Tls12"
This is all well and good but it must be noted that using this with WID means that you also cannot run the WSUS reports section. Because the WSUS MMC is not on Server Core 2019 and WID can only be accessed on the local machine, this simply won't function.
Hi James,
That's not correct. Using WSUS on Server Core requires you use the MMC for WSUS on another system. Reporting works just fine.
I use the WSUS MMC on my Windows 10 workstation to manage WSUS on my Server Core instance, and regularly run reports.
Stephen
@Stephen hmm, is there any components required besides the RSAT?
Yes, you'll need to install the Report viewer runtime. There's a link for it when you try to open a report if you don't have it installed.
Make sure you install the applicable version (year), if using the wrong version (year), the reports won't function.
Hey Stephen,
Thanks for your reply.
You were correct, the right runtime needs to be setup.
For those who would like to know - to setup reporting for Server 2019 + WSUS WID, I used Microsoft Report Viewer 2012 Runtime:
https://www.microsoft.com/en-au/download/details.aspx?id=35747
Which has a pre-requisite of Microsoft System CLR Types for SQL Server 2012 (x64). (link in the "Install Instructions section):
https://www.microsoft.com/en-au/download/confirmation.aspx?id=29065
Hi Stephen,
Nice how-to article (and linked articles), thanks!
You don't really need to set up Remote IIS Management just to modify the Wsuspool application pool's "Private Memory Limit". Use PowerShell instead, for example using the webadministration module:
Set-WebConfiguration "/system.applicationHost/applicationPools/add[@name='WsusPool']/recycling/periodicRestart/@privateMemory" -Value 0
Installing SqlCmd is easy peasy as well:
1. download your architecture version (x86, x64) from https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
2. Make sure Microsoft Visual C++ Redistributable for Visual Studio 2017/2019 is installed: https://visualstudio.microsoft.com/downloads/
3. Install Microsoft ODBC Driver 17 for SQL Server: https://www.microsoft.com/en-us/download/details.aspx?id=56567
4. msiexec /i C:\Users\janreilink\Downloads\MsSqlCmdLnUtils.msi
Now you can use &'C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\SQLCMD.EXE'
I need to enable SSL and Code Signing for WSUS. How do I do that in Core?
Hello,
It is possible to run locally the PS command on a local server?
I have the Server 2019 with GUI licensed on a domain, and I wanted to have this server to download all updates for the network computers and servers.
Hi Mario,
I'm not sure I understand what you're asking.
My question is about setting up a 2019 server with a GUI and the PS command window... Is this setup good for it?
Also I have another question... I need and extra server to run the database SQL Server. What is the best scenario for a network of 2000-2500 devices? Using the WID or a separated SQL server database?
Hi Mario,
What PS command are you asking about? I'm still not understanding what you're asking.
As for SQL. It would probably help if you used SQL in a deployment that large.
Cheers,
Stephen
Hello Sir!
I am wondering if you could help with a WSUS installation problem I'm having on Server 2019. It happens no matter how I try to install WSUS: GUI or Core. I have tried installing WSUS on a standalone installation (not joined to domain) and also domain joined. These are always brand new fresh installations. I've tried each combination above with NOT running windows update after the initial OS installation and also making the OS fully up-to-date. The result is always the same :
Install-WindowsFeature : The request to add or remove features on the specified server failed.
The operation cannot be completed, because the server that you specified requires a restart.
I've looked at the google.... nothing has helped. My last hope is :
https://docs.microsoft.com/en-US/troubleshoot/windows-server/deployment/error-install-windows-internal-database
But, when I try to add to the default GPO, NT SERVICE\MSSQL$MICROSOFT##WID to log on as a service, it says that NT SERVICE\MSSQL$MICROSOFT##WID doesn't exist, and it won't let me add it.
Any words of wisdom? Thanks for your time !! I've been working on this on and off for weeks now!
Hi Cameron,
I'm not sure what's causing it, but check out this post: https://www.stephenwagner.com/2021/05/12/exchange-cu-pending-reboot-previous-installation/
The post is for exchange, but similar issue. The resolution in the post may help you.
Also, if you didn't install WID, then account you referenced won't exist. Also I'm not sure what you're trying to do with logon as a service, as this post doesn't instruct you to do that.
Cheers
Stephen