Windows Server Update Services (WSUS) is a wonderful method of centralizing how your Windows based environment retrieves Microsoft updates.  The benefits range from fine grained control of which updates to deploy to reducing your network bandwidth requirements during patch Tuesday.

There is, however, a dark downside to WSUS:  It will slowly eat up drive space while slowing to a crawl. 

 

TLDR:  Flag as “Declined” all unneeded WSUS updates (simple eh?)

 

1. Launch Windows Server Update Services
   Important: Launch as Administrator!
   
2. View All Updates
   Navigate to [Server Name] –> Updates –> All Updates
   
   
3. Right click on the grid heading and show the following columns: “Supersedence”, “Needed Count”, “Installed Count”, “Not Applicable Count”
   
   
4. Set your filters to Approval = “Approved” and Status = “Any”
   Important: Remember to click Refresh
   
   
5. Wait….
   (If you have a lot of Approved updates, this will take awhile!)
   
6. Sort by Supersedence and select all updates which have been Superseded.
   What you will find is a *lot* of updates approved for “Install” which have been superseded
   Important:  There are three Supersedence icons.  Do not select the icon with the blue square at the top without reviewing first to verify the update does not apply to your environment!  These are the latest (most current) updates in the Supersedence chain!
   
   
7. Right click and “Decline” the superseded updates
   Important:  You may receive and “Error: Unexpected error”  while WSUS is declining the updates.  Ignore this as it is simply a timeout as WSUS is *very* busy.  You can hit “Reset Server Node” once the declining is complete.  You may want to verify all “Superseded” updates have been “Declined” by repeating steps 4 – 7.
   
8. Click Refresh to update the list of updates.
   
9. Sort Descending by Not Applicable and navigate to the top most row
   
10. You will very likely see many rows that:
    Needed Count = 0
    Installed Count = 0
    Not Applicable Count = [Number of computers WSUS is servicing]
    These are “Approved”  updates which are not needed by your environment.
    Highlight, Right Click, and “Decline” any updates which do not belong to your environment
    Caution! It is recommended you review the updates to verify you are not declining something which may become part of your environment at a future date.
    
    
11. Navigate to Options and select Server Cleanup Wizard
    
12. Uncheck all boxes EXCEPT Unneeded Update Files and click Next
    
    
13. Wait….
    (This is actually pretty fast)

 

That’s it!  Your done.  Now go bask in the glow of your reclaimed drive space!

One Last Note:
If your WSUS server is running as a virtual server on Hyper-V AND you are using dynamic drives, you’ll want to read
VHD Liposuction – How to shrink a dynamic VHD file after reclaiming space

Stories from the Lync Test Bench: Cleaning up Active Directory

As with any new, non-trivial, upgrade, we spend a lot of time performing test installs on our test bench. (Yes, sometimes the test bench is production… but we do try to avoid testing in production… usually). There are times were we need to clean Lync from the Active Directory. Normally, we would restore the domain controller from ice, but there are occasions where restoring / rebuilding the test domain is not practical.

This document covers the steps for “cleaning” your Active Directory of Lync “stuff” in order to allow for a brand new install.

Step#1: Remove permissions
This step removes the original Lync permissions from the active director.

1. Open Active Directory Users and Computers
   
2. Right click on your top level domain being cleaned and select Properties
   
3. From the Properties windows, select the Security tab.
4. Remove all security users titled RTC*
   These are usually
   – RTCUniversalServerReadOnlyGroup
   – RTCUniversalUserReadOnlyGroup
   – RTCUniversalUniversalServices
   – RTCUniversalUserAdmins
   
5. Repeat the same steps for each of the following AD Folders and OUs
   NOTE: Not all RTC permissions will exist in each AD Folder or OU, but these three OUs do:
   – Domain Controllers
   – System
   – Users

Step#2: Remove the RTC Services branch

1. Open ADSI Edit
   New to ADSI? See this link: http://technet.microsoft.com/en-us/library/cc773354
2. Open the Naming Context Configuration for the domain being cleaned
   
3. Drill down to the following path:
   CN=Configuration[ your domain] CN=Services
4. Delete the CN=RTC Service entry
   

 

Step#3: Additional AD cleanup

1. Open Active Directory Users and Computers
   
2. Drill down as follows
   [Your Domain] Program Data Distributed KeyMan
3. Delete LyncCertificates
   NOTE: This may not exist in all scenarios.
4. Drill down as follows
   [Your Domain] Users
5. Delete all RTC* and CS* users created by Lync
   I.E. CSAdministrator, CSHelpDesk, RTCComponentUniversalServices, Etc.

 

Step#4: Cleanup existing users
This steps resets Lync attributes for any domain users and contacts.

Manual Method

1. Open Active Directory Users and Computers
2. Click View from the menu and activate Advanced Features
3. Right click on your domain and select Find
4. Set the Find: option to Custom Search
5. Select the Advance Tab
6. Enter the following LDAP Query: (msRTCSIP-PrimaryHomeServer=*)
   
7. Click Find Now
8. Note each returned user or object
9. Close Find
10. Right click on each user or object found in the search
11. Select Properties
12. Select the Attribute Editor tab
13. Find and reset all msRTCSIP* attributes for the user/object
    

Automatic Method
For those who love PowerShell:
Important: Remember to launch PowerShell as an Administrator

Import-Module ActiveDirectory ; Get-ADObject -LDAPFilter “(msRTCSIP-PrimaryHomeServer=*)” | ForEach-Object {Set-ADObject -Identity $_.DistinguishedName -Clear “msRTCSIP-DeploymentLocator”, “msRTCSIP-FederationEnabled”, “msRTCSIP-InternetAccessEnabled”, “msRTCSIP-OptionFlags”, “msRTCSIP-PrimaryUserAddress”, “msRTCSIP-UserEnabled”, “msRTCSIP-UserPolicies”, “msRTCSIP-UserRoutingGroupId”, “msRTCSIP-PrimaryHomeServer”; “Cleaned $($_)”}

Final “user cleanup” considerations:

· The scripts and methods are current as of Lync 2013 (March 2013). Review your particular implementation to determine if more or less attributes needs to be cleaned.

· If you have integrated with Exchange Unified Messaging (UM), you will have two contacts specifically setup for the Unified Messaging. Consider deleting these contacts as they will most likely be recreated during the next Lync server installation and setup.

 

Step#5: Prepare Current Forest Impacts

Manually cleaning Lync from your Active Directory will result in some issues when preparing the Active Directory during Lync install. If you receive the following error on Step 3: Prepare Current Forest under the Prepare Active Directory for Lync Server wizard:

Command execution failed: Active Directory operation failed on “[your Lync Server]”. You cannot retry this operation: “Directory object not found [domain specific text]”

-OR-

Result: Create permissions for Configuration delete objects container
TaskFailed: Task execution failed

Use the following steps to manually prepare the forest:

1. Launch Lync Server Management Shell from the start menu
   Important: Remember to run as an administrator
2. Enter the following PowerShell command
   Enable-CSAdForest -GlobalCatalog [fully qualified domain server name] -Force
   Example:
   Enable-CSAdForest -GlobalCatalog DC.YourDomain.COM –Force
3. Refresh the wizard. The green checkbox should now be displayed on Step 3.
4. Continue the wizard as normal.