规划 WSUS 部署Plan your WSUS deployment

适用于:Windows Server 2019、Windows Server(半年频道)、Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

部署 Windows Server Update Services (WSUS) 的第一步是做出重要决定,例如确定 WSUS 部署方案、选择网络拓扑和了解系统要求。The first step in the deployment of Windows Server Update Services (WSUS) is to make important decisions, such as deciding the WSUS deployment scenario, choosing a network topology, and understanding the system requirements. 以下清单汇总了为部署做准备时执行的步骤。The following checklist summarizes the steps that are involved in preparing for your deployment.

任务Task 说明Description
1.1.查看注意事项和系统要求1.1. Review considerations and system requirements 查看注意事项列表和系统要求,以确保你拥有部署 WSUS 所需的所有硬件和软件。Review the list of considerations and system requirements to ensure that you have all the necessary hardware and software to deploy WSUS.
1.2.选择 WSUS 部署方案1.2. Choose a WSUS deployment scenario 确定将使用哪种 WSUS 部署方案。Decide which WSUS deployment scenario will be used.
1.3.选择 WSUS 存储策略1.3. Choose a WSUS storage strategy 确定哪种 WSUS 存储策略最适合你的部署。Decide which WSUS storage strategy best fits your deployment.
1.4.选择 WSUS 更新语言1.4. Choose WSUS update languages 确定将安装哪种 WSUS 更新语言。Decide which WSUS update languages will be installed.
1.5.计划 WSUS 计算机组1.5. Plan WSUS computer groups 计划你进行部署时所用的 WSUS 计算机组方法。Plan the WSUS computer group approach that you will use for your deployment.
1.6.计划 WSUS 性能注意事项:后台智能传送服务1.6. Plan WSUS Performance Considerations: Background Intelligent Transfer Service 计划优化性能的 WSUS 设计。Plan a WSUS design for optimized performance.
1.7.计划自动更新设置1.7. Plan Automatic Updates settings 计划如何为你的方案配置自动更新设置。Plan how you will configure the automatic updates settings for your scenario.

1.1.1.1. 查看注意事项和系统要求Review considerations and system requirements

系统要求System Requirements

硬件和数据库软件要求取决于组织中要更新的客户端计算机的数量。Hardware and database software requirements are driven by the number of client computers being updated in your organization. 启用 WSUS 服务器角色之前,按照以下指南确认服务器满足系统要求,以及你拥有完成安装所需的权限:Before you enable the WSUS server role, confirm that the server meets the system requirements and confirm that you have the necessary permissions to complete the installation by adhering with the following guidelines:

  • 启用 WSUS 角色的服务器硬件要求与硬件要求相关。Server hardware requirements to enable WSUS role are bound to hardware requirements. WSUS 的最低硬件需求是:The minimum hardware requirements for WSUS are:

    • 处理器: 1.4 千兆赫 (GHz) x64 处理器(推荐使用 2Ghz 或以上)Processor: 1.4 gigahertz (GHz) x64 processor (2 Ghz or faster is recommended)

    • 内存: 除了服务器和所有其他服务或软件需要的内存量之外,WSUS 还需要额外的 2 GB RAM。Memory: WSUS requires an additional 2 GB of RAM more than what is required by the server and all other services or software.

    • 可用磁盘空间: 建议使用 40 GB 或更多Available disk space: 40 GB or greater is recommended

    • 网络适配器: 每秒 100 兆位 (Mbps) 或以上(建议使用 1GB)Network adapter: 100 megabits per second (Mbps) or greater (1GB is recommended)

备注

这些指导原则假设 WSUS 客户端每 8 小时与服务器同步一次(客户端总共为 30000 个)。These guidelines assume that WSUS clients are synchronizing with the server every eight hours for a rullup of 30,000 clients. 如果同步频率更高,则服务器负载会相应地增加。If they sychronize more often, there will be a corresponding increment in the server load.

  • 软件要求:Software Requirements:

  • 如果你安装的角色或软件更新要求你在安装完成时重新启动服务器,则在你启用 WSUS 服务器角色之前,先重新启动服务器。If you install roles or software updates that require you to restart the server when installation is complete, restart the server before you enable the WSUS server role.

  • 必须在将安装 WSUS 服务器角色的服务器上安装 Microsoft .NET Framework 4.0。Microsoft .NET Framework 4.0 must be installed on the server where the WSUS server role will be installed.

  • NT Authority\Network Service 帐户必须拥有以下文件夹的完全控制权限,以便 WSUS 管理管理单元正确显示:The NT Authority\Network Service account must have Full Control permissions for the following folders so that the WSUS Administration snap-in displays correctly:

    • %windir%\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files%windir%\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files

      备注

      在安装含有 Internet Information Service (IIS) 的 Web 服务器角色之前,该路径可能不存在。This path might not exist prior to install Web Server Role that contains Internet Information Services (IIS).

    • %windir%\Temp%windir%\Temp

  • 确认你打算用来安装 WSUS 的帐户是本地 Administrators 组成员。Confirm that the account you plan to use to install WSUS is a member of the Local Administrators group.

安装注意事项Installation Considerations

在安装过程中,WSUS 将默认安装以下各项:During the installation process, WSUS will install the following by default:

  • .NET API 和 Windows PowerShell cmdlet.NET API and Windows PowerShell cmdlets

  • 供 WSUS 使用的的 Windows 内部数据库 (WID)Windows Internal Database (WID), which is used by WSUS

  • 供 WSUS 使用的服务如下:Services used by WSUS, which are:

    • 更新服务Update Service

    • 报告 Web 服务Reporting Web Service

    • 客户端 Web 服务Client Web Service

    • 简单 Web 身份验证 Web 服务Simple Web Authentication Web Service

    • 服务器同步服务Server Synchronization Service

    • DSS 身份验证 Web 服务DSS Authentication Web Service

按需功能注意事项Features on Demand Considerations

请注意,将客户端计算机(包括服务器)配置为使用 WSUS 进行更新会形成以下限制:Be aware that configuring client computers (including servers) to update by using WSUS will result in the following limitations:

  1. 使用按需功能移除了其有效负载的服务器角色无法从 Microsoft 更新进行按需安装。Server roles that have had their payloads removed using Features on Demand cannot be installed on demand from Microsoft Update. 必须在尝试安装这类服务器角色时提供安装源,或在组策略中为按需功能配置源。You must either provide an installation source at the time you try to install such server roles, or configure a source for Features on Demand in Group Policy.

  2. Windows 客户端版本无法从 Web 按需安装 .NET 3.5。Windows client editions will not be able to install .NET 3.5 on demand from the web. 与服务器角色相同的注意事项也适用于 .NET 3.5。The same considerations as server roles apply to .NET 3.5.

    备注

    配置按需功能安装源不涉及 WSUS。Configuring a Features on Demand installation source does not involve WSUS. 有关如何配置这些功能的信息,请参阅 在 Windows Server 中配置按需功能For information on how to configure Features, see Configure Features on Demand in Windows Server.

  3. 运行 Windows 10 版本 1709 或版本 1803 的企业设备无法直接从 WSUS 安装任何按需功能。Enterprise devices running Windows 10, version 1709 or version 1803, cannot install any Features on Demand directly from WSUS. 若要安装按需功能,请创建功能文件(并排存储)或从以下源之一获取按需功能包:To install Features on Demand, create a feature file (side-by-side store) or obtain the Feature on Demand package from one of the following sources:

WSUS 数据库要求WSUS database requirements

WSUS 要求以下数据库之一:WSUS requires one of the following databases:

  • Windows 内部数据库 (WID)Windows Internal Database (WID)

  • 任何受支持的 Microsoft SQL Server 版本。Any supported Microsoft SQL Server version. 有关详细信息,请参阅 Microsoft 生命周期策略For more information, see Microsoft Lifecycle Policy.

WSUS 支持以下版本的 SQL Server:The following editions of SQL Server are supported by WSUS:

  • StandardStandard

  • 企业Enterprise

  • 速成Express

备注

SQL Server Express 2008 R2 具有 10 GB 的数据库大小限制。SQL Server Express 2008 R2 has a database size limitation of 10 GB. 此数据库大小可能足以用于 WSUS,尽管使用此数据库而不是 WID 没有明显好处。This database size is likely to be sufficient for WSUS, although there is no appreciable benefit to using this database instead of WID. WID 数据库具有最小 2 GB 的 RAM 内存要求,这超过了标准 Windows Server 系统要求。WID database has a minimum RAM memory requirement of 2 GB beyond the standard Windows Server system requirements.

你可以在与数据库服务器计算机独立开来的计算机上安装 WSUS 角色。You can install the WSUS role on a computer that is separate from the database server computer. 在这种情况下,以下其他标准适用于:In this case, the following additional criteria apply:

  1. 数据库服务器不能作为域控制器进行配置。The database server cannot be configured as a domain controller.

  2. WSUS 服务器不能运行远程桌面服务。The WSUS server cannot run Remote Desktop Services.

  3. 数据库服务器必须与 WSUS 服务器位于相同的 Active Directory 域中,或它必须与 WSUS 服务器的 Active Directory 域建立信任关系。The database server must be in the same active directory domain as the WSUS server, or it must have a trust relationship with the active directory domain of the WSUS server.

  4. WSUS 服务器和数据库服务器必须处于相同的时区中,或同步到相同的协调世界时(格林威治标准时间)源。The WSUS server and the database server must be in the same time zone or be synchronized to the same Coordinated Universal time (Greenwich Mean time) source.

1.2.1.2. 选择 WSUS 部署方案Choose a WSUS deployment scenario

本部分介绍了所有 WSUS 部署的基本特征。This section describes the basic features of all WSUS deployments. 使用本部分,熟悉单一 WSUS 服务器的简单部署,并且了解更加复杂的方案,例如在独立网段上的 WSUS 服务器层次结构或 WSUS 服务器。Use this section to familiarize yourself with a simple deployment with a single WSUS server, in addition to more complex scenarios, such as a WSUS server hierarchy or a WSUS server on an isolated network segment.

简单 WSUS 部署Simple WSUS deployment

最基本的 WSUS 部署由在私有内部网上为客户端计算机提供服务的企业防火墙内部的服务器组成。The most basic WSUS deployment consists of a server inside the corporate firewall that serves client computers on a private intranet. 将 WSUS 服务器连接到 Microsoft 更新,以下载更新。The WSUS server connects to Microsoft Update to download updates. 这称为 同步This is known as synchronization. 在同步期间,WSUS 确定自上次同步起是否有任何新更新可供使用。During synchronization, WSUS determines if any new updates have been made available since the last time you synchronized. 如果你是第一次同步 WSUS,所有更新均可供下载。If it is your first time synchronizing WSUS, all updates are made available for download.

备注

初步同步将花费一个小时。Initial synchronization can take over an hour. 所有后续同步所花费的时间将大大减少。All synchronizations after that should be significantly quicker.

默认情况下,WSUS 服务器将端口 80 用于 HTTP 协议,将端口 443 用于 HTTPS 协议,以从 Microsoft 获取更新。By default, the WSUS server uses port 80 for HTTP protocol and port 443 for HTTPS protocol to obtain updates from Microsoft. 如果你的网络和 Internet 之间存有企业防火墙,则必须在直接与 Microsoft 更新通信的服务器上打开这些端口。If there is a corporate firewall between your network and the Internet, you will have to open these ports on the server that communicates directly to Microsoft Update. 如果你打算使用自定义端口进行此类通信,则必须打开那些端口。If you are planning to use custom ports for this communication, you must open those ports instead. 你可以将多台 WSUS 服务器配置为与父 WSUS 服务器同步。You can configure multiple WSUS servers to synchronize with a parent WSUS server. 默认情况下,WSUS 服务器将端口 8530 用于 HTTP 协议,将端口 8531 用于 HTTPS 协议,以向客户端工作站提供更新。By default, the WSUS server uses port 8530 for HTTP protocol and port 8531 for HTTPS protocol to provide updates to client workstations.

多台 WSUS 服务器Multiple WSUS servers

管理员可部署多台运行 WSUS 的服务器,从而同步其组织内部网中的所有内容。Administrators can deploy multiple servers running WSUS that synchronize all content within their organization's intranet. 你可以仅向 Internet 公开一台服务器,它将成为从 Microsoft 更新下载更新的唯一服务器。You might expose only one server to the Internet, which would be the only server that downloads updates from Microsoft Update. 将该服务器设置为上游服务器 - 与下游服务器同步的源。This server is set up as the upstream server the source to which the downstream servers synchronize. 在适当情况下,服务器可遍布于在地理上分散的网络中,以向所有客户端计算机提供最佳连接。When applicable, servers can be located throughout a geographically dispersed network to provide the best connectivity to all client computers.

断开的 WSUS 服务器Disconnected WSUS server

如果公司策略或其他条件限制计算机访问 Internet,管理员可设置内部服务器以运行 WSUS。If corporate policy or other conditions limit computer access to the Internet, administrators can set up an internal server to run WSUS. 此示例说明了服务器连接到内部网却与 Internet 独立开来的情况。An example of this is a server that is connected to the intranet but is isolated from the Internet. 在该服务器上下载、测试和批准更新之后,管理员会将更新元数据和内容导出到 DVD。After downloading, testing, and approving the updates on this server, an administrator would export the update metadata and content to a DVD. 将更新元数据和内容从 DVD 中导入到在内部网运行 WSUS 的服务器。The update metadata and content is imported from the DVD to servers running WSUS within the intranet.

WSUS 服务器层次结构WSUS server hierarchies

你可以创建 WSUS 服务器的复杂层次结构。You can create complex hierarchies of WSUS servers. 因为你可将一台 WSUS 服务器与另一台 WSUS 服务器(而非 Microsoft 更新)同步,所以你必须拥有唯一一台与 Microsoft 更新连接的 WSUS 服务器。Because you can synchronize one WSUS server with another WSUS server instead of with Microsoft Update, you need to have only a single WSUS server that is connected to Microsoft Update. 当你将 WSUS 服务器连接在一起时,则存在上游 WSUS 服务器和下游 WSUS 服务器。When you link WSUS servers together, there is an upstream WSUS server and a downstream WSUS server. WSUS 服务器层次结构部署具有以下几个优点:A WSUS server hierarchy deployment offers the following benefits:

  • 你可以一次从 Internet 下载更新,然后使用下游服务器将更新分配给客户端计算机。You can download updates one time from the Internet and then distribute the updates to client computers by using downstream servers. 该方法将节约企业 Internet 连接上的带宽。This method saves bandwidth on the corporate Internet connection.

  • 你可将更新下载到接近实际的客户端计算机(例如在分支机构)的 WSUS 服务器。You can download updates to a WSUS server that is physically closer to the client computers, for example, in branch offices.

  • 你可设置独立的 WSUS 服务器以服务使用 Microsoft 产品不同语言的客户端计算机。You can set up separate WSUS servers to serve client computers that use different languages of Microsoft products.

  • 对于客户端计算机数量超出一台 WSUS 服务器有效管理范围的大型组织而言,你可以扩展 WSUS。You can scale WSUS for a large organization that has more client computers than one WSUS server can effectively manage.

备注

我们建议你不要创建三个级别以上的 WSUS 服务器层次结构。We recommend that you do not create a WSUS server hierarchy that is more than three levels deep. 每个级别将增加向整个连接的服务器传播更新的时间。Each level adds time to propagate updates throughout the connected servers. 虽然在理论上层次结构没有受到限制,但 Microsoft 只对具有五个级别的层次结构部署进行了测试。Although there is no theoretical limit to a hierarchy, only deployments that have a hierarchy of five levels deep have been tested by Microsoft.

另外,下游服务器必须采用与上游服务器同步源相同的 WSUS 版本或更早的版本。Also, downstream servers must be at the same version or an earlier version of WSUS as the upstream server synchronization source.

你可在“自治”模式(旨在实现分布式管理)或“副本”模式(旨在实现集中管理)下连接 WSUS 服务器。You can connect WSUS servers in Autonomous mode (to achieve distributed administration) or in Replica mode (to achieve centralized administration). 你无需部署只使用一个模式的服务器层次结构:你可部署使用自治和副本 WSUS 服务器的 WSUS 解决方案。You do not have to deploy a server hierarchy that uses only one mode: you can deploy a WSUS solution that uses both autonomous and replica WSUS servers.

“自治”模式Autonomous mode

“自治”模式(也称为分布式管理)是 WSUS 的默认安装选项。The Autonomous mode, also called distributed administration, is the default installation option for WSUS. 在“自治”模式中,上游 WSUS 服务器与下游服务器在同步期间分享更新。In Autonomous mode, an upstream WSUS server shares updates with downstream servers during synchronization. 独立管理下游 WSUS 服务器,它们不接收来自上游服务器的更新批准状态或计算机组信息。Downstream WSUS servers are administered separately, and they do not receive update approval status or computer group information from the upstream server. 使用分布式管理模式,每个 WSUS 服务器管理员选择更新语言、创建计算机组、将计算机分配给各组、测试和批准更新,并确保将正确的更新安装到适当的计算机组。By using the distributed management model, each WSUS server administrator selects update languages, creates computer groups, assigns computers to groups, tests and approves updates, and makes sure that the correct updates are installed to the appropriate computer groups.

副本模式Replica mode

拥有与下游服务器分享更新、批准状态和计算机组的上游 WSUS 服务器,即可使用“副本”模式(也称为集中管理)。The Replica mode, also called centralized administration, works by having an upstream WSUS server that shares updates, approval status, and computer groups with downstream servers. 副本服务器将继承更新批准,并且不能脱离其上游 WSUS 服务器进行管理。Replica servers inherit update approvals and are not administered separately from the upstream WSUS server.

备注

如果你设置几台副本服务器以连接到单台上游 WSUS 服务器,请勿计划在每台副本服务器上同时运行同步。If you set up several replica servers to connect to a single upstream WSUS server, do not schedule synchronization to run at the same time on each replica server. 该操作将避免带宽使用突然加剧的现象。This practice will avoid sudden surges in bandwidth usage.

分支机构Branch offices

你可利用 Windows 中的“分支机构”功能优化 WSUS 部署。You can leverage the Branch Office feature in Windows to optimize WSUS deployment. 此类部署提供以下优势:This type of deployment offers the following advantages:

  1. 有利于降低 WAN 链路利用率,并改进应用程序响应性。helps reduce WAN link utilization and improves application responsiveness. 若要启用由 Web 服务器提供的内容的 BranchCache 加速,则在服务器和客户端上安装 BranchCache 功能,并确保已启动 BranchCache 服务。To enable BranchCache acceleration of content that is served by the WSUS server, install the BranchCache feature on the server and the clients, and ensure that the BranchCache service has started. 不需要其他步骤。No other steps are necessary.

  2. 在低带宽连接到中央办公室而高带宽连接到 Internet 的分支机构中,同样可使用“分支机构”功能。In branch offices that have low-bandwidth connections to the central office but high-bandwidth connections to the Internet, the Branch Office feature can also be used. 在这种情况下,你可能希望配置下游 WSUS 服务器,以获取有关安装哪些来自中央 WSUS 服务器的更新的信息,并且从 Microsoft 更新下载更新。In this case you may want to configure downstream WSUS servers to get information about which updates to install from the central WSUS server, but download the updates from Microsoft Update.

Network Load BalancingNetwork Load Balancing

网络负载平衡 (NLB) 提高 WSUS 网络的可靠性和性能。Network Load Balancing (NLB) increases the reliability and performance of your WSUS network. 你可以设置多台 WSUS 服务器,使其共享运行 SQL Server(例如 SQL Server 2008 R2 SP1)的单一故障转移群集。You can set up multiple WSUS servers that share a single failover cluster running SQL Server such as SQL Server 2008 R2 SP1. 在该配置中,你必须使用完整的 SQL Server 安装程序(而非 WSUS 提供的 Windows 内部数据库安装程序),并且数据库角色必须安装在所有 WSUS 前端服务器上。In this configuration you must use a full SQL Server installation, not the Windows Internal Database installation that is provided by WSUS, and the database role must be installed on all WSUS front-end servers. 你还可让所有 WSUS 服务器都使用分布式文件系统 (DFS) 来存储其内容。You can also have all the WSUS servers use a distributed file system (DFS) to store their content.

用于 NLB 的 WSUS 设置:与用于 NLB 的 WSUS 3.2 设置相比,配置用于 NLB 的 WSUS 不再需要特殊的设置调用和参数。WSUS setup for NLB: compared to WSUS 3.2 setup for NLB, a special setup call and parameters are no longer required to configure WSUS for NLB. 你只需要设置每台 WSUS 服务器,请记住以下注意事项。You need only setup each WSUS server, keeping the following considerations in mind.

  • WSUS 必须使用 SQL 数据库选项而不是 WID 进行设置。WSUS must be setup using the SQL database option instead of WID.

  • 如果在本地存储更新,则必须在共享相同 SQL 数据库的 WSUS 服务器之间共享相同的内容文件夹。If storing updates locally, the same Content folder must be shared between the WSUS servers that are sharing the same SQL database.

  • WSUS 设置必须串行进行。WSUS setup must be done in serial. 在共享相同 SQL 数据库时,安装后任务不能同时在多台服务器上运行。Postinstall tasks cannot be run on more than one server at the same time when sharing the same SQL database.

带有漫游客户端计算机的 WSUS 部署WSUS deployment with roaming client computers

如果网络包含从不同位置登录到网络的移动用户,则可配置 WSUS,以便漫游用户从在地理上最接近它们的 WSUS 服务器更新其客户端计算机。If the network includes mobile users who log on to the network from different locations, you can configure WSUS to let roaming users update their client computers from the WSUS server that is closest to them geographically. 例如,你可以在每个区域部署一台 WSUS 服务器,并为每个区域使用不同的 DNS 子网。For example, you might deploy one WSUS server each region and use a different DNS subnet for each region. 所有客户端计算机都可以定向到同一 WSUS 服务器,从而确定在每个子网中距离最近的实际 WSUS 服务器。All client computers could be directed to the same WSUS server, which resolves in each subnet to the nearest physical WSUS server.

1.3.1.3. 选择 WSUS 存储策略Choose a WSUS storage strategy

Windows Server Update Services (WSUS) 使用两种存储系统:一个是存储 WSUS 配置和更新元数据的数据库,另一个是存储更新文件的可选本地文件系统。Windows Server Update Services (WSUS) uses two types of storage systems: a database to store WSUS configuration and update metadata, and an optional local file system to store update files. 在安装 WSUS 之前,应确定你希望实施存储的方式。Before you install WSUS, you should decide how you want to implement storage.

更新由两部分组成:描述更新的元数据,以及安装更新所需的文件。Updates are composed of two parts: metadata that describes the update, and the files that are required to install the update. 更新元数据的规模通常比实际的更新要小很多,并且它存储在 WSUS 数据库中。Update metadata is typically much smaller than the actual update, and it is stored in the WSUS database. 更新文件存储在本地 WSUS 服务器上或 Microsoft 更新 Web 服务器上。Update files are stored on a local WSUS server or on a Microsoft Update Web server.

WSUS 数据库WSUS database

WSUS 需要适用于每台 WSUS 服务器的数据库。WSUS requires a database for each WSUS server. WSUS 支持使用位于与 WSUS 服务器有所不同的计算机上的数据库,但受到一些限制。WSUS supports the use of a database that resides on a different computer than the WSUS server, with some restrictions. 有关受支持的数据库列表和远程数据库限制的详细信息,请参阅本指南中的“1.1 查看初始注意事项和系统要求”部分。For a list of supported databases and remote database limitations, see section 1.1 Review initial considerations and system requirements, in this guide.

WSUS 数据库存储以下信息:The WSUS database stores the following information:

  • WSUS 服务器配置信息WSUS server configuration information

  • 描述各个更新的元数据Metadata that describes each update

  • 有关客户端计算机、更新和交互的信息Information about client computers, updates, and interactions

如果你安装多台 WSUS 服务器,你必须为每台 WSUS 服务器维护独立的数据库,不管它是自治服务器还是副本服务器。If you install multiple WSUS servers, you must maintain a separate database for each WSUS server, whether it is an autonomous or a replica server. 你不能将多个 WSUS 数据库存储在 SQL Server 的单一实例中,除使用 SQL Server 故障转移的网络负载平衡 (NLB) 群集外。You cannot store multiple WSUS databases on a single instance of SQL Server, except in Network Load Balancing (NLB) clusters that use SQL Server failover.

SQL Server、SQL Server Express 和 Windows 内部数据库为单服务器配置提供相同的性能特征,其数据库和 WSUS 服务都位于相同的计算机上。SQL Server, SQL Server Express, and Windows Internal Database provide the same performance characteristics for a single-server configuration, where the database and the WSUS service are located on the same computer. 单服务器配置可支持数千台 WSUS 客户端计算机。A single-server configuration can support several thousand WSUS client computers.

备注

请勿尝试通过直接访问数据库来管理 WSUS。Do not attempt to manage WSUS by accessing the database directly. 直接操控数据库会导致数据库损坏。directly manipulating the database can cause database corruption. 损坏可能不会即时显现,但它会阻止升级到产品的下一版本。The corruption might not be immediately obvious, but it can prevent upgrades to the next version of the product. 可以通过使用 WSUS 控制台或 WSUS 应用程序编程接口 (API) 来管理 WSUS。You can manage WSUS by using the WSUS console or WSUS application programming interfaces (APIs).

带 Windows 内部数据库的 WSUSWSUS with Windows Internal Database

默认情况下,安装向导创建和使用命名为 SUSDB.mdf 的 Windows 内部数据库。By default, the installation wizard creates and uses a Windows Internal Database that is named SUSDB.mdf. 该数据库位于 %windir%\wid\data\ folder 中,其中 %windir% 是安装 WSUS 服务器软件的本地驱动器。This database is located in the %windir%\wid\data\ folder, where %windir% is the local drive on which the WSUS server software is installed.

备注

Windows 内部数据库 (WID) 是在 Windows Server 2008 中引入的。Windows Internal Database (WID) was introduced in Windows Server 2008 .

WSUS 支持仅用于数据库的 Windows 身份验证。WSUS supports Windows authentication only for the database. 你不能同时使用 SQL Server 身份验证和 WSUS。You cannot use SQL Server authentication with WSUS. 如果你针对 WSUS 数据库使用 Windows 内部数据库,WSUS 安装可创建命名为 server\Microsoft##WID 的 SQL Server 实例,其中的服务器采用计算机的名称。If you use Windows Internal Database for the WSUS database, WSUS Setup creates an instance of SQL Server that is named server\Microsoft##WID, where server is the name of the computer. 使用任一数据库选项,WSUS 安装创建命名为 SUSDB 的数据库。With either database option, WSUS Setup creates a database named SUSDB. 该数据库的名称是不可配置的。The name of this database is not configurable.

我们建议你在以下情况下使用 Windows 内部数据库:We recommend that you use Windows Internal Database in the following cases:

  • 组织尚未购买且无需适用于任何其他应用程序的 SQL Server 产品。The organization has not already purchased and does not require a SQL Server product for any other application.

  • 组织无需 NLB WSUS 解决方案。The organization does not require an NLB WSUS solution.

  • 你打算部署多台 WSUS 服务器(例如在分支机构中)。You intend to deploy multiple WSUS servers (for example, in branch offices). 在这种情况下,你应考虑在辅助服务器上使用 Windows 内部数据库,即使你将使用适用于根 WSUS 服务器的 SQL Server。In this case, you should consider using Windows Internal Database on the secondary servers, even if you will use SQL Server for the root WSUS server. 由于每台 WSUS 服务器都需要独立的 SQL Server 实例,因此,如果只有一个 SQL Server 实例处理多台 WSUS 服务器,你将很快经历数据库性能问题。Because each WSUS server requires a separate instance of SQL Server, you will quickly experience database performance issues if only one instance of SQL Server handles multiple WSUS servers.

Windows 内部数据库不提供用户界面或任何数据库管理工具。Windows Internal Database does not provide a user interface or any database management tools. 如果为 WSUS 选择该数据库,则必须使用外部工具来管理数据库。If you select this database for WSUS, you must use external tools to manage the database. 有关更多信息,请参阅:For more information, see:

带 SQL Server 的 WSUSWSUS with SQL Server

我们建议你在以下情况下使用 SQL Server 和 WSUS:We recommend that you use SQL Server with WSUS in the following cases:

  1. 你需要 NLB WSUS 解决方案。You require an NLB WSUS solution.

  2. 你已经至少安装了一个 SQL Server 实例。You already have at least one instance of SQL Server installed.

  3. 你不能在本地非系统账户下运行 SQL Server 服务,或使用 SQL Server 身份验证。You cannot run the SQL Server service under a local non-system account or by using SQL Server authentication. WSUS 仅支持 Windows 身份验证。WSUS supports Windows authentication only.

WSUS 更新存储WSUS update storage

将更新同步到 WSUS 服务器时,元数据和更新文件存储在两个不同的位置。When updates are synchronized to your WSUS server, the metadata and update files are stored in two separate locations. 元数据存储在 WSUS 数据库中。Metadata is stored in the WSUS database. 更新文件可以存储在 WSUS 服务器上或 Microsoft 更新服务器上(具体取决于同步选项的配置方式)。Update files can be stored on your WSUS server or on Microsoft Update servers, depending on how you have configured your synchronization options. 如果选择将更新文件存储在 WSUS 服务器上,则客户端计算机会从本地 WSUS 服务器下载批准的更新。If you choose to store update files on your WSUS server, client computers will download approved updates from the local WSUS server. 如果不选择这样做,客户端计算机将直接从 Microsoft 更新下载批准的更新。If not, client computers will download approved updates directly from Microsoft Update. 最适合你组织的选项将取决于 Internet 的网络带宽、内部网上的网络带宽以及本地存储可用性。The option that makes the most sense for your organization will depend on network bandwidth to the Internet, network bandwidth on the intranet, and local storage availability.

你可为每个部署的 WSUS 服务器选择不同的更新存储解决方案。You can select a different update storage solution for each WSUS server that you deploy.

本地 WSUS 服务器存储Local WSUS server storage

当你安装和配置 WSUS 时,更新文件的本地存储是默认选项。Local storage of update files is the default option when you install and configure WSUS. 此选项可将企业连接上的带宽保存到 Internet,因为客户端计算机直接从本地 WSUS 服务器下载更新。This option can save bandwidth on the corporate connection to the Internet because client computers download updates directly from the local WSUS server.

此选项要求服务器拥有充分的磁盘空间来存储所有需要的更新。This option requires that the server have sufficient disk space to store all needed updates. WSUS 至少需要 20 GB 才能将更新存储在本地;但是我们建议根据测试的变量使用 30 GB。at a minimum, WSUS requires 20 GB to store updates locally; however, we recommend 30 GB based on tested variables.

在 Microsoft 更新服务器上的远程存储Remote storage on Microsoft Update servers

你可以将更新远程存储在 Microsoft 更新服务器上。You can store updates remotely on Microsoft Update servers. 如果大多数客户端计算机通过慢速 WAN 连接来连接 WSUS 服务器,但它们却通过高带宽连接来连接 Internet,则此选项是非常有帮助的。This option is useful if most client computers connect to the WSUS server over a slow WAN connection, but they connect to the Internet over a high-bandwidth connection.

在这种情况下,根 WSUS 服务器与 Microsoft 更新同步,并接收更新元数据。In this case, the root WSUS server synchronizes with Microsoft Update and receives the update metadata. 你批准更新后,客户端计算机从 Microsoft 更新服务器下载批准的更新。After you approve the updates, the client computers download the approved updates from Microsoft Update servers.

1.4.1.4. 选择 WSUS 更新语言Choose WSUS update languages

当你部署 WSUS 服务器层次结构时,你应确定整个组织需要哪种语言更新。When you deploy a WSUS server hierarchy, you should determine which language updates are required throughout the organization. 你应配置根 WSUS 服务器以下载整个组织使用的所有语言的更新。You should configure the root WSUS server to download updates in all languages that are used throughout the entire organization.

例如,总部可能需要英语和法语更新,但某个分支机构需要英语、法语和德语更新,其他分支机构则需要英语和西班牙语更新。For example, the main office might require English and French language updates, but one branch office requires English, French, and German language updates, and another branch office requires English and Spanish language updates. 在这种情况下,你将配置根 WSUS 服务器,以下载英语、法语、德语和西班牙语更新。In this situation, you would configure the root WSUS server to download updates in English, French, German, and Spanish. 随后为第一个分支机构配置 WSUS 服务器以便仅下载英语、法语和德语,为第二个分支机构配置 WSUS 服务器以便仅下载英语和西班牙语更新。You would then configure the first branch office WSUS server to download updates in English, French, and German only, and configure the second branch office to download updates in English and Spanish only.

WSUS 配置向导的 “选择语言” 页可让你获得所有语言或语言子集的更新。The Choose Languages page of the WSUS Configuration Wizard allows you to get updates from all languages or from a subset of languages. 选择语言子集将节省磁盘空间,但选择 WSUS 服务器的所有下游服务器和客户端计算机需要的语言至关重要。selecting a subset of languages saves disk space, but it is IMPORTANT to choose all the languages that are needed by all the downstream servers and client computers of a WSUS server.

以下是一些有关你在配置此选项之前应记住的更新语言的重要事项:Following are some IMPORTANT notes about the update language that you should keep in mind before configure this option:

  • 除整个组织需要的任何其他语言外,始终包含英语。Always include English in addition to any other languages that are required throughout your organization. 所有更新都是以英语软件包为基础的。All updates are based on English language packs.

  • 如果你尚未选择上游服务器需要的所有语言,则下游服务器和客户端计算机将接收不到所有必需的更新。Downstream servers and client computers will not receive all the updates they need if you have not selected all the necessary languages for the upstream server. 确保你选择了与所有下游服务器有关的所有客户端计算机需要的全部语言。Make sure you select all the languages that will be needed by all the client computers that are associated with all the downstream servers.

  • 一般情况下,你应在与 Microsoft 更新同步的根 WSUS 服务器上下载所有语言的更新。You should generally download updates in all languages on the root WSUS server that synchronizes to Microsoft Update. 此选择确保所有下游服务器和客户端计算机将接收需要的语言更新。This selection guarantees that all downstream servers and client computers will receive updates in the languages that they require.

如果你在本地存储更新,并且你安装了 WSUS 服务器以便下载有限范围内的语言更新,则可能会注意到除你指定的语言更新外,还有其他语言更新。If you are storing updates locally, and you have set up a WSUS server to download updates in a limited number of languages, you may notice that there are updates in languages other than the ones you specified. 所有更新文件都包含几种语言,其中至少包含一种在服务器上指定的语言。Many update files are bundles of several different languages, which include at least one of the languages specified on the server.

上游服务器Upstream servers

备注

将上游服务器配置为同步下游副本服务器所需的所有语言中的更新。Configure upstream servers to synchronize updates in all languages that are required by downstream replica servers. 不会向你通知非同步语言中的所需更新。You will not be notified of needed updates in the unsynchronized languages.

更新会在需要相关语言的客户端计算机上显示为“不适用” 。Updates will appear as Not Applicable on client computers that require the language. 若要避免此问题,请确保所有操作系统语言都包含在 WSUS 服务器同步选项中。To avoid this, make sure all operating system languages are included in your WSUS server's synchronization options. 可以通过转到 WSUS 管理控制台的“计算机” 视图并按操作系统语言对计算机进行排序,来查看所有操作系统语言。You can see all the operating system languages by going to the computers view of the WSUS Administration Console and sorting the computers by operating system language. 但是,如果存在多种语言的 Microsoft 应用程序(例如,如果在使用英语版 Windows 8 的某些计算机上安装法语版的 Microsoft Word),则你可能要包含多种语言。However, you may want to include more languages if there are Microsoft applications in more than one language (for example, if the French version of Microsoft Word is installed on some computers that use the English version of Windows 8.

为上游服务器选择语言与为下游服务器选择语言不同。Choosing languages for an upstream server is not the same as choosing languages for a downstream server. 以下过程说明了差异。The following procedures explain the differences.

为从 Microsoft 更新进行同步的服务器选择更新语言To choose update languages for a server synchronizing from Microsoft Update

  1. 在 WSUS 配置向导中:In the WSUS Configuration Wizard:

    • 若要获取所有语言的更新,请单击“下载包括新语言在内的所有语言的更新” 。To get updates in all languages, click Download updates in all languages, including new languages.

    • 若要仅获取特定语言的更新,请单击“仅下载以下语言的更新” ,然后选择你希望获得更新的语言。To get updates only for specific languages, click Download updates only in these languages, and then select the languages for which you want updates.

为下游服务器选择更新语言To choose update languages for a downstream server

  1. 如果上游服务器配置为下载一部分语言的更新文件:在 WSUS 配置向导中,单击“仅下载以下语言的更新” (上游服务器仅支持标有星号的语言),然后选择你希望获得更新的语言。If the upstream server has been configured to download update files in a subset of languages: In the WSUS Configuration Wizard, click Download updates only in these languages (only languages marked with an asterisk are supported by the upstream server), and then select the languages for which you want updates.

备注

即使你希望下游服务器下载与上游服务器相同的语言,也应执行此操作。You should do this even though you want the downstream server to download the same languages as the upstream server.

  1. 如果上游服务器配置为下载所有语言的更新文件:在 WSUS 配置向导中,单击“下载上游服务器支持的所有语言的更新” 。If the upstream server has been configured to download update files in all languages: In the WSUS Configuration Wizard, click Download updates in all languages supported by the upstream server.

备注

即使你希望下游服务器下载与上游服务器相同的语言,也应执行此操作。You should do this even though you want the downstream server to download the same languages as the upstream server. 此设置使上游服务器下载所有语言的更新,包括最初没有为上游服务器配置的语言。This setting causes the upstream server to download updates in all languages, including languages that were not originally configured for the upstream server. 如果向上游服务器添加语言,则应将新的更新复制到其副本服务器。If you add languages to the upstream server, you should copy the new updates to its replica servers.

在上游服务器上单独更改语言选项可能会导致中心服务器上批准的更新数与副本服务器上批准的更新数不匹配。Changing language options on the upstream server alone might cause a mismatch between the number of updates that are approved on the central server and the number of updates approved on the replica servers.

1.5.1.5. 计划 WSUS 计算机组Plan WSUS computer groups

WSUS 可让你将各组客户端计算机作为更新目标,从而确保特定计算机总是在最方便的时候获得适当的更新。WSUS allows you to target updates to groups of client computers, so you can ensure that specific computers always get the right updates at the most convenient times. 例如,如果同一部门(例如会计组)中的所有计算机具有特定配置,你可为该组建立一个计算机组,并确定它们的计算机需要哪些更新以及何时安装这些更新,然后使用 WSUS 报告评估团队更新。For example, if all the computers in one department (such as the Accounting team) have a specific configuration, you can set up a group for that team, decide which updates their computers need and what time they should be installed, and then use WSUS reports to evaluate the updates for the team.

备注

如果 WSUS 服务器在副本模式下运行,则不能在该服务器上创建计算机组。If a WSUS server is running in replica mode, computer groups cannot be created on that server. 必须在属于 WSUS 服务器层次结构的 WSUS 服务器上,创建副本服务器的客户端计算机需要的所有计算机组。All the computer groups that are needed for client computers of the replica server must be created on the WSUS server that is the root of the WSUS server hierarchy. 有关副本模式的详细信息,请参阅《WSUS 3.0 SP2 操作指南》中的“管理 WSUS 副本服务器”管理 WSUS 副本服务器For more information about replica mode, see Manage WSUS Replica Servers Manage WSUS Replica Servers in the WSUS 3.0 SP2 Operations Guide.

计算机始终分配给“所有计算机” 组,并且它们保持分配给“未分配的计算机” 组,直到你将它们分配给其他组。Computers are always assigned to the All computers group, and they remain assigned to the Unassigned computers group until you assign them to another group. 计算机可以属于多个组。Computers can belong to more than one group.

可以按层次结构建立计算机组(例如,在 Accounting 组下的 Payroll 组和 Accounts Payable 组)。Computer groups can be set up in hierarchies (for example, the Payroll group and the Accounts Payable group below the Accounting group). 除位置较高组外,为位置较高的组批准的更新将自动部署到位置较低的组。Updates that are approved for a higher group will automatically be deployed to lower groups, in addition to the higher group. 在本示例中,如果你为 Accounting 组批准 Update1,更新将被部署到 Accounting 组中的所有计算机、Payroll 组中的所有计算机以及 Accounts Payable 组中的所有计算机。In this example, if you approve Update1 for the Accounting group, the update will be deployed to all the computers in the Accounting group, all the computers in the Payroll group, and all the computers in the Accounts Payable group.

因为可将计算机分配给多个组,所以可为同一台计算机多次批准单一更新。Because computers can be assigned to multiple groups, it is possible for a single update to be approved more than once for the same computer. 但是,更新仅被部署一次,且 WSUS 服务器将解决任何冲突。However, the update will be deployed only once, and any conflicts will be resolved by the WSUS server. 在上一示例中,如果计算机 A 被分配给 Payroll 组和 Accounts Payable 组,且为这两个组批准 Update1,则它将仅部署一次。To continue with the previous example, if computerA is assigned to the Payroll group and the Accounts Payable group, and Update1 is approved for both groups, it will be deployed only once.

可以使用“指向服务器端”或“指向客户端”这两种方法之一将计算机分配到计算机组。You can assign computers to computer groups by using one of two methods, server-side targeting or client-side targeting. 以下是每种方法的定义:Following are the definitions for each method:

  • 指向服务器端:你手动将一台或多台客户端计算机同时分配给多个计算机组。Server-side targeting: You manually assign one or more client computers to multiple groups simultaneously.

  • 指向客户端:在客户端计算机上使用组策略或编辑注册表设置,使那些计算机可以自动将其添加到之前创建的计算机组中。Client-side targeting: You use Group Policy or edit the registry settings on client computers to enable those computers to automatically add themselves into the previously created computer groups.

冲突解决Conflict Resolution

服务器应用以下规则以解决冲突和确定客户端上的结果操作:The server applies the following rules to resolve conflicts and determine the resultant action on clients:

  1. 优先级Priority

  2. 安装/卸载Install/Uninstall

  3. 最后期限Deadline

优先级Priority

与最高优先级组有关的操作会覆盖其他组的操作。The actions associated with the group of the highest priority override the actions of other groups. 小组在组层次结构中出现的结构越深,优先级越高。The deeper a group appears within the hierarchy of groups, the higher its priority. 仅基于深度分配优先级;所有分支都有相同的优先级。Priority is assigned only based on depth; all branches have equal priority. 例如,桌面分支之下二级的组的优先级高于服务器分支之下一级的组。For example, a group two levels beneath the Desktops branch has a higher priority than a group one level beneath the Server branch.

在更新服务控制台层次结构窗格的以下文本示例中,对于名为 WSUS-01 的 WSUS 服务器,名为“台式计算机”和“服务器”的计算机组已添加到默认的“所有计算机”组。 In the following text example of the Update Services console hierarchy pane, for a WSUS server named WSUS-01, computer groups named Desktop computers and Server have been added to the default All computers group. 桌面计算机和服务器组都处于相同的层次结构级别。Both the Desktop computers and Server groups are at the same hierarchical level.

  • 更新服务Update Services

    • WSUS-01WSUS-01

      • 更新Updates

      • 计算机computers

        • 所有计算机All computers

          • 未分配的计算机Unassigned computers

          • 台式计算机Desktop computers

            • Desktops-L1Desktops-L1

              • Desktops-L2Desktops-L2
          • 服务器Servers

            • Servers-L1Servers-L1
      • 下游服务器Downstream Servers

      • 同步Synchronizations

      • 报表Reports

      • 选项Options

在此示例中,桌面计算机分支之下二级 (Desktops L2) 的组的优先级高于服务器分支之下一级 (Servers L1) 的组。In this example, the group two levels beneath the Desktop computers branch (Desktops L2) has a higher priority than the group one level beneath the Server branch (Servers L1). 因此,对于具有 Desktops-L2 和 Servers-L1 组成员资格的计算机,Desktops-L2 组的所有操作优先于为 Servers-L1 组指定的操作。Accordingly, for a computer that has membership in both the Desktops-L2 and the Servers-L1 groups, all actions for the Desktops-L2 group take priority over actions specified for the Servers-L1 group.

安装和卸载的优先级Priority of Install and Uninstall

安装操作会覆盖卸载操作。Install actions override uninstall actions. 必需安装会覆盖可选安装(可选安装仅通过 API 可用且为使用 WSUS 管理控制台的更新更改批准将清除所有可选批准)。Required installs override optional installs (optional installs are only available through the API and changing an approval for an update using the WSUS Administration Console will clear all optional approval.)

最后期限的优先级Priority of Deadlines

具有最后期限的操作会覆盖没有最后期限的操作。Actions that have a deadline override those with no deadline. 最后期限较早的操作会覆盖最后期限较晚的操作。Actions with earlier deadlines override those with later deadlines.

1.6.1.6. 计划 WSUS 性能注意事项Plan WSUS performance considerations

在部署 WSUS 之前,你应小心计划一些区域,以便你可以优化性能。There are some areas that you should carefully plan before deploying WSUS so that you can have optimized performance. 关键区域包括:The key areas are:

  • 网络设置Network setup

  • 延迟的下载Deferred download

  • 筛选器Filters

  • 安装Installation

  • 大规模更新部署Large update deployments

  • 后台智能传送服务 (BITS)Background Intelligent Transfer Service (BITS)

网络设置Network setup

若要优化 WSUS 网络中的性能,请考虑以下建议:To optimize performance in WSUS networks, consider the following suggestions:

  1. 在集散拓扑(而非层次结构拓扑)中设置 WSUS 网络。Set up WSUS networks in a hub-and-spoke topology rather than in a hierarchical topology.

  2. 为漫游客户端计算机使用 DNS 网络掩码排序,并配置漫游客户端计算机以获得本地 WSUS 服务器的更新。Use DNS netmask ordering for roaming client computers, and configure roaming client computers to obtain updates from the local WSUS server.

延迟的下载Deferred download

你可在下载更新文件之前,批准更新和下载更新元数据,这种方法被称为 延迟的下载You can approve updates, and download the update metadata before you download the update files, this method is called deferred downloads. 当你延迟下载时,仅在获批准之后才能下载更新。When you defer downloads, an update is downloaded only after it is approved. 我们建议你延迟下载,原因是它优化了网络带宽和磁盘空间。We recommend that you defer downloads because it optimizes network bandwidth and disk space.

在 WSUS 服务器的层次结构中,WSUS 将自动设置所有下游服务器,以使用根 WSUS 服务器的延迟下载设置。In a hierarchy of WSUS servers, WSUS automatically sets all downstream servers to use the deferred download setting of the root WSUS server. 你可以更改此默认设置。You can change this default setting. 例如,你可配置上游服务器以执行完全、即时同步,然后配置下游服务器以延迟下载。For example, you can configure an upstream server to perform full, immediate synchronizations, and then configure a downstream server to defer the downloads.

如果你部署连接的 WSUS 服务器的层次结构,我们建议你不要深入嵌套服务器。If you deploy a hierarchy of connected WSUS servers, we recommend that you do not deeply nest the servers. 如果你启用延迟的下载,且下游服务器请求未在上游服务器上获批准的更新,则下游服务器的请求将强制在上游服务器上执行下载。If you enable deferred downloads and a downstream server requests an update that is not approved on the upstream server, the downstream server's request forces a download on the upstream server. 然后下游服务器在后续同步上下载更新。The downstream server then downloads the update on a subsequent synchronization. 在 WSUS 服务器的深层次结构中,请求和下载更新并将更新传递到服务器层次结构时会出现延误。In a deep hierarchy of WSUS servers, delays can occur as updates are requested, downloaded, and then passed through the server hierarchy. 默认情况下,当你在本地存储更新时,启用延迟的下载。By default, deferred downloads are enabled when you store updates locally. 你可以手动更改此选项。You can change this option manually.

筛选器Filters

WSUS 可让你按语言、产品和类别来过滤更新同步。WSUS lets you filter update synchronizations by language, product, and classification. 在 WSUS 服务器的层次结构中,WSUS 将自动设置所有下游服务器,以使用在根 WSUS 服务器上选择的更新过滤选项。In a hierarchy of WSUS servers, WSUS automatically sets all downstream servers to use the update filtering options that are selected on the root WSUS server. 你可以配置下游服务器,以仅接收语言子集。You can reconfigure download servers to receive only a subset of the languages.

默认情况下,要更新的产品是 Windows 和 Office,默认类别是 Critical 更新、Security 更新和 Definition 更新。By default, the products to be updated are Windows and Office, and the default classifications are Critical updates, Security updates, and Definition updates. 若要保存带宽和磁盘空间,我们建议你将语言限制为你实际使用那些语言。To conserve bandwidth and disk space, we recommend that you limit languages to those that you actually use.

安装Installation

更新通常由新版本且早已存在于准备更新的计算机中的文件组成。Updates typically consist of new versions of files that already exist on the computer that is being updated. 在二进制级,这些现有的文件可能与更新的版本有很大不同。On a binary level, these existing files might not differ very much from updated versions. 快速安装文件功能识别不同版本之间的精确字节,并创建和分配仅限于那些差异的更新,然后将现有文件与更新的字节合并在一起。The express installation files feature identifies the exact bytes between versions, creates and distributes updates of only those differences, and then merges the existing file together with the updated bytes.

有时候该功能被称为增量交付,因为它仅下载文件的两个版本之间的增量(差异)。Sometimes this feature is called delta delivery because it downloads only the delta (difference) between two versions of a file. 快速安装文件比分配给客户端计算机的更新要大,因为快速安装文件含有每份要更新的文件的所有潜在版本。Express installation files are larger than the updates that are distributed to client computers because the express installation file contains all possible versions of each file that is to be updated.

可以使用快速安装文件限制在本地网络上消耗的带宽,因为 WSUS 仅传输适用于特定版本的更新组件的增量。You can use express installation files to limit the bandwidth that is consumed on the local network, because WSUS transmits only the delta applicable to a particular version of an updated component. 但是,这会在你的 WSUS 服务器、任何上游 WSUS 服务器与 Microsoft 更新之间形成额外带宽成本,并且需要更多的本地磁盘空间。However, this comes at the cost of additional bandwidth between your WSUS server, any upstream WSUS servers, and Microsoft Update, and requires additional local disk space. 默认情况下,WSUS 并不使用快速安装文件。By default, WSUS does not use express installation files.

并非所有更新都适合使用快速安装文件来分配。Not all updates are good candidates for distribution by using express installation files. 如果你选择此选项,你将为所有更新获得快速安装文件。If you select this option, you obtain express installation files for all updates. 如果不在本地存储更新,则 Windows 更新代理会决定是下载快速安装文件还是完整文件更新分发。If you do not store updates locally, the Windows Update Agent will decide whether to download the express installation files or the full-file update distributions.

大规模更新部署Large update deployment

当你部署大规模更新(例如 service pack)时,你可以使用以下操作来避免占满网络:When you deploy large updates (such as service packs), you can avoid saturating the network by using the following practices:

  1. 使用后台智能传送服务 (BITS) 限制Use Background Intelligent Transfer Service (BITS) throttling. 可使用当天的时间来控制 BITS 带宽,但它们适用于使用 BITS 的所有应用程序。BITS bandwidth limitations can be controlled by time-of-day, but they apply to all applications that are using BITS. 若要了解如何控制 BITS 限制,请参阅组策略To learn how to control BITS throttling, please see Group Policies.

  2. 使用 Internet 信息服务 (IIS) 限制来控制对一个或多个 Web 服务的限制。Use Internet Information Services (IIS) throttling to limit throttling to one or more web services.

  3. 使用计算机组来控制推出。Use computer groups to control the rollout. 当客户端计算机向 WSUS 服务器发送信息时,它将自己识别为特定计算机组的成员。A client computer identifies itself as a member of a particular computer group when it sends information to the WSUS server. WSUS 服务器使用此信息确定应向此计算机部署哪些更新。The WSUS server uses this information to determine which updates should be deployed to this computer. 你可以设置多个计算机组,并随后为这些组的子集批准大规模 service pack 下载。You can set up multiple computer groups and sequentially approve large service pack downloads for a subset of these groups.

后台智能传送服务Background Intelligent Transfer Service

WSUS 为所有其文件传送任务使用后台智能传送服务 (BITS) 协议。WSUS uses the Background Intelligent Transfer Service (BITS) protocol for all its file transfer tasks. 这包括到客户端计算机和服务器同步的下载。This includes downloads to client computers and server synchronizations. BITS 使用空闲带宽启用程序来下载文件。BITS enables programs to download files by using spare bandwidth. BITS 保持通过断开网络和重新启动计算机来传送文件的方式。BITS maintains file transfers through network disconnections and computer restarts. 有关更多信息,请参阅:后台智能传送服务For more information, see: Background Intelligent Transfer Service.

1.7.1.7. 计划自动更新设置Plan Automatic Updates settings

你可以指定批准 WSUS 服务器上的更新的截止时间。You can specify a deadline to approve updates on the WSUS server. 截止时间促使客户端计算机在特定时间安装更新,但存在的情况有许多种,取决于截止时间是否过期、计算机中是否有其他更新排队等候安装以及更新(或队列中的其他更新)是否需要重新启动。The deadline causes client computers to install the update at a specific time, but there are a number of different situations, depending on whether the deadline has expired, whether there are other updates in the queue for the computer to install, and whether the update (or another update in the queue) requires a restart.

默认情况下,自动更新每隔 22 小时(减去随机偏移量)就向 WSUS 服务器询问批准的更新。By default, Automatic Updates polls the WSUS server for approved updates every 22 hours minus a random offset. 如果需要安装新更新,则已下载它们。If new updates need to be installed, they are downloaded. 每个检测周期之间的时间可限制为 1 到 22 小时。The time between each detection cycle can be manipulated from 1 to 22 hours.

你可以按如下方式操控通知选项:You can manipulate the notification options as follows:

  1. 如果配置自动更新以通知用户更新已准备好安装,则将通知发送到系统日志以及客户端计算机的通知区域。If Automatic Updates is configured to notify the user of updates that are ready to be installed, the notification is sent to the System log and to the notification area of the client computer.

  2. 当带有适当凭据的用户单击通知区域图标,自动更新将显示要安装的可用更新。When a user with appropriate credentials clicks the notification area icon, Automatic Updates displays the available updates to install. 用户必须单击 “安装” 以启动安装。The user must click Install to start the installation. 如果更新需要重新启动计算机以完成更新,则一条信息会出现。A message appears if the update requires the computer to be restarted to complete the update. 如果需要重新启动,自动更新将无法检测额外更新,直到计算机已重新启动。If a restart is requested, Automatic Updates cannot detect additional updates until the computer is restarted.

如果配置自动更新以按计划安装更新,则下载适用的更新,并将它标记为“准备好安装”。If Automatic Updates is configured to install updates on a set schedule, applicable updates are downloaded and marked as ready to install. 自动更新使用通知区域图标通知拥有适当凭据的用户,并将事件记录在系统日志中。Automatic Updates notifies users who have appropriate credentials by using a notification area icon, and an event is logged in the System log.

在计划的当天和时间,自动更新安装更新并重新启动计算机(必要时),即使无本地管理员登陆。At the scheduled day and time, Automatic Updates installs the update and restarts the computer (if necessary), even if no local administrator is logged on. 如果本地管理员登陆和计算机需要重新启动,自动更新将显示一条警告信息和重新启动的倒计时间。If a local administrator is logged on and the computer requires a restart, Automatic Updates displays a warning and a countdown for the restart. 否则,安装将在后台发生。Otherwise, the installation occurs in the background.

如果必须重新启动计算机,且有任何用户登陆,则会显示类似的倒计时对话框,该对话框将警告用户即将重新启动。If the computer must be restarted, and any user is logged on, a similar countdown dialog box is displayed, which warns the user about the impending restart. 你可以使用组策略操控计算机重新启动。You can manipulate computer restarts with Group Policy.

下载新更新后,自动更新向 WSUS 服务器询问批准的程序包列表,以确认它下载的程序包依然有效且获批准。After the new updates are downloaded, Automatic Updates polls the WSUS server for the list of approved packages to confirm that the packages it downloaded are still valid and approved. 这意味着,如果在自动更新下载更新时,WSUS 管理员从批准的更新列表中删除更新,则实际上安装的只是依然获批准的更新。This means that, if a WSUS administrator removes updates from the list of approved updates while Automatic Updates is downloading updates, only the updates that are still approved are actually installed.