Migrating WSUS 3.2 to Windows Server 2012 R2

Couple months back  I was assigned a task to migrate our WSUS server which was running under W2k3 R2 to W2k12 R2. The existing WSUS server was 10+ years old and actually was installed in a Domain Controller (Don’t laugh at me. I didn’t do that). The challenge I had to face was migrate all the content along with approved updates. To be exact I worked on this for 4 days following every article I could find but each time I failed at approvals. Finally it was just a simple task (I was a fool to not look at TechNet) described as in here.

I’m gonna describe how I did it (just the facts, cut the crap)

Migrate WSUS update binaries

  1. Before starting the work, I stopped WSUS service and the synchronization schedule in the existing server.
  2. Installed WSUS role on the new server. At the end of the configuration wizard I’ve left the configuration for later. This is a  must.
  3. Then created a NT Backup task to the entire WSUS Backup content folder (in my case this was 97 GB+)
  4. As Windows Server 2008 onwards NT Backup is retired, I copied the NT Backup binaries from a W2k3 server and copied it to the 2012 server. It works just fine and from there I imported the backup to the new WSUS location.

Migrate WSUS security groups

I didn’t do anything specific in this step. All the users, groups and security permissions were exact same in my new setup. If you are not certain go ahead  and double check as described here.

Back up the WSUS database

This is the most important step. I’m not gonna fill all the details but you can see how to do it here. Remember you need to install SQL Server 2012 Management Studio in your new server as 2005 version is not supported in 2012. This is required for WSUS database import.

Final steps

  1. After completing the WSUS database migration, open up WSUS console in the new server. You may notice that approved updates along with rest (yes 97 GB+) are there.
  2. Configure the new WSUS server with exact same configuration (products, classifications, automatic approvals, sync schedule etc… ). Most of the items are already there as we imported the WSUS database but make sure everything is same.
  3. In my organization, we had group policy in place to define the WSUS server. I just had to change the host name to the new one.
  4. Start a manual synchronization in the new server. Once it is finished make sure that the sync is Succeeded.
  5. As you have change the WSUS server in the domain group policy, you may need to log off and log in to client computers or run a gpupdate /force. Alternatively follow the step in the TechNet article to manually detect a client computer.

At the end of the day I saved a huge amount bandwidth for my company with a minimum downtime. So now you can stop worrying about downloading everything from the beginning if you are planning to migrate your WSUS setup to Server 2012 R2.

Watch below video from MVA featuring Andrew McMurry on how to perform this.

  • Pingback: Migrating WSUS 3.2 to Windows Server 2012 R2 | ...()

  • cypherstream

    Do you know at the end if you can change the host name on the new server to match what the old one was? Ours is conveniently named wsus.domain.com. That way I can use the same certificate and not change the GPO’s at all.

    • Well that depends. You can decommission the old server. Delete the computer account and re-add using the same name to AD DS. Endure that you update DNS records to match the old IP address.

      But disable the GPO before you change the host name in the new server. After that you can enable it.

      • cypherstream

        Thanks. I read a lot of people had issues renaming a WSUS server after it was installed. Something with either the database or IIS itself has a lot of references to the computer name. Now of course I could try putting an alternate hosts file on the new server, but I think what I will try first is adding a cname dns entry so the original name wsus points to the new wsus. This way I don’t have to one by one change all the local policies on non-domain joined machines (like DMZ / web servers, publically accessible kiosks, etc..)

        • Janaka Rangama

          Yes that is a good solution. If you are OK with using a new name then you can change the DNS records.

          If you haven’t renamed the server before you install WSUS, then you will have issues with renaming. I guess this is the scenario.

  • Dan Bator

    Great article, thank you.

    A word of caution if migrating from an existing WSUS server to a new WSUS server. I highly recommend that you DO NOT edit the WSUS address in your companies live GPO policy during business hours. We made this mistake, and within an hour or two we got a flood of helpdesk tickets that computers were basically slowed down to crawl. Upon inspection, the svchost.exe process was maxing out the memory of the machine, and the DQL on hard disk drives were running wild anywhere from 5 to 30! Apparently the client machines running an internal database check against the new WSUS server. What for exactly, I do not know, but it was 98% read activity in the C:WindowsInstallers directory. It took older client machines (Lenovo T420 and T440 laptops, older M73 desktops with aging hard disk drives) 15 minutes to 90 minutes to complete the check. Rebooting the machines would only pick up where it left off. We had to tell our employees to patiently wait it out. It was bad to the point where just to open task manager would take over a minute. We had to give some people laptops to work in the interim until the check completed.

    Make the change over the weekend or after business hours!

  • vluu


    we are moving from wsus on win2003 to win2012r2. I did a new install of wsus on win2012r2 and successfully synced with the upstream server. Im using local WID DB where i moved it and other directories to another drive. I did not migrate anything from win2003 to win2012 server. Ran BPA and passed. Currently both wsus servers are running in parallel.

    the problem i have is i tested to moved some clients to the new server via changing the GPO but i do not see the clients on the win2012 wsus server. I forced check-in with updatenow and still does not apprear. rebooted both the wsus2012 and client machine still no success.

    I came across this MS article to change the WSUS server identity which i did not do because its a new install of wsus on win2012 and not migrated.

    Any advice appreciated.


    • Janaka Rangama

      Best way is to change the GPO to the new WSUS server. Then do a gpupdate on test clients.

      Check the GPO assignment for the failed test clients. They may be still pointing to the old WSUS server