In this article I will demonstrate how to migrate an existing WSUS 3.0 SP1 server from a local SQL Express instance to a remote SQL Server 2005 Database Services instance.

Firstly be aware of these limitations when deploying WSUS with a remote SQL Server instance.

  • You cannot use a server configured as a domain controller for either the front end (FE) or the back end (BE) of the remote SQL pair.
  • You cannot use a server running as a Terminal Services server for the front end of the remote SQL pair.
  • You cannot use Windows Internal Database for database software on the back-end server.
  • Both the front-end and the back-end servers must be joined to an Active Directory domain.

1. Download and install the SQLCmd tool on the WSUS server.

2. Install SQL Server 2005 "Client Tools Only" on the WSUS server so that you have access to the SQL Management Studio console.

3. Stop the IISAdmin and Update Services services in Computer Management.  Note the other services that IISAdmin will stop, usually the World Wide Web service and the HTTP SSL service.

4. Use SQLCmd to detach the SUSDB.

C:\>sqlcmd -S np:\.pipeMSSQL$MICROSOFT##SSEEsqlquery

1> use master
2> alter database SUSDB set single_user with rollback immediate
3> go

Changed database context to 'master'
Nonqualified transactions are being rolled back. Estimated rollback completion
1> sp_detach_db 'SUSDB'
2> go
1> exit

5. Copy the SUSDB.mdf and SUSDB_Log.ldf files from the WSUS server to the remote SQL server.  Place them in the default locations for MDF and LDF files on the SQL server.

6. Attach the SUSDB to the remote SQL server.



7. Grant the WSUS server computer account permissions to the SUSDB on the remote SQL server.

8. Configure the WSUS server to use the remote SQL server for SUSDB by modifying the HKLMSoftwareMicrosoftUpdate ServicesServerSetupSQLServerName registry key.


9. Start the IISAdmin, World Wide Web Publishing Service, HTTP SSL, and Update Services services.  Or you can just reboot the server.

10. Launch the WSUS administration console to verify the WSUS server is connecting to the database successfully.  If WSUS is not working properly double-check the services in the previous step or try restarting the server.  You can also review the Application event log for WSUS errors.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for


  1. Steve C

    In step8 unless you are connecting to a default SQL instance the SQLServername must be added in the form SQLSERVERSQLINSTANCE. Would be pretty obvious to DBAs but I had an issue with mine connecting until I realised the default instance had been renamed.

  2. George

    I also had to set the registry value “SqlInstanceIsRemote” to 1. With an internal DB setup it’s defaulted to 0.

  3. Robert

    as addition to Chris’ post:

    7.6 right-click the SUSDB and click Properties
    7.7 Select Permissions and highlight your Server account
    7.8 Grant permissions.

    At least when I followed the article and Chris’ post my SUS server only had Connect access to the database. After granting all of the permissions (dont know which are actually necessary, but it doesnt really matter either) the SUS server management worked again.

  4. Steve

    Had an issue moving an SP1 DB to an SP2 installation. The console would not connect after attaching the DB. We applied the windows update that updated our WSUS to SP2 from SP1 on the old server, but apparently applying to SP2 update does not update the DB schema. So after uninstalling and leaving all updates and the DB in place, I reinstalled and it said it would update the DB schema to SP2. After that, it worked sucessfully.

  5. Colin

    the App events didnt tell me much i’m afraid. I have got it working now.

    Great article, thanks.

  6. Avatar photo

    Colin, your event log should have entries indicating why it would not start.

  7. Colin

    Followed the steps exactly – wsus wont load after server restart.

  8. Chris

    Here’s a slightly more detailed #7:
    7.1 Right click “Security”, it’s directly under “Databases” from #6. Select New -> Login…
    7.2 In “Login name” enter {domain name}{wsus server}$ (ex, Contosowsus01$)
    7.3 Select the “User Mappings” page in the upper left
    7.4 Check the box next to SUSDB database, under the Default Schem column enter “dbo”
    7.5 Click OK

    This should be good for most simple installs. This is a bit insecure, as any application on the WSUS server can write anything to the database. If you have anything complicated going on contact a real DBA, and implement real security measures.

  9. markc

    Yes I’m also struggling on step 7. It appears all the ms docs assume knowledge here, as does the above article. Where is this machine login added? Please elaborate with screenshots!

  10. Avatar photo

    Hi Philip, you can create a login for a computer account by typing the computer name into the “Login name” field directly, instead of searching for it.

    So for example, to add a login for the computer account WSUSSERVER in the domain LAB, you would type LABWSUSSERVER$ into the “Login name” field.

    Hope that helps.

  11. Philip Smth

    This is so helpful – but would you clarify point 7 please? I believe I’m failing in this step (and I’m not an SQL guy…).

    I’m trying to add a computer account to the securitylogins group in SQL 2005 SP2, but I can only add user, group, or built-in security principal, no computer.

Leave a Reply