My question is simple, and I think I know my answer - I'm really after a confirmation from others.
Obviously, if my WSUS server dies I will have some hefty downloads to do once it is back up, and that's not a problem. I was thinking more of the database behind WSUS - should that be backed up?
What I think would happen is that it would be just like setting WSUS up again for the first time - change the group policy and the WSUS server will then build its database of computers and their installed updates from scratch.
Am I right in my assumptions, or will it do something unexpected?
Is it better in the long run to just back the database up, say once a month and be done with it?
It sort of depends on how complicated your group layout is and whether you've done a lot of custom approvals/denials for certain groups. It also depends on whether you care about the history and current status of the computers in the database.
If you have a very simple setup where you're just approving all updates and you don't really care about the history of any of the computers, there's no need to backup the database or the updates. It would probably take less time to just re-build the service from scratch (depending on how fast your network connection is to Microsoft) than restore from backup. All of your existing machines will just check in with the new server once it's up.
It's a pretty basic risk analysis for any service. If you have data that would be costly (time or money) or impossible to re-create from scratch, you should back it up. Otherwise, don't bother.
Backuping the database is a small task, and backup up updates is really no point as you would simply re-download them again if you have to rebuild your WSUS server. Most of the updates are already applied anyway.
I backup my WSUS database so that I don't have to write down (or remember) what updates to decline (we have a custom word plug-in that crashes with a certain KB for example).
I looked into this in a previous job when the backups were approaching the tape capacity. Rather than continue to back up WSUS I set it up on another server and configured that as a downstream server, even though it wasn't actually serving any clients. I figured that if necessary I could just edit the GPO setting pointing to the server and get on with more urgent matters, like restoring the rest of the failed system. The disk spaced used was of no concern but it did free up valuable space on the tapes.
I'd back it up anyway, just for the extra comfort factor. It strikes me that WSUS is not something that absolutely needs to be included in your regular nightly backup jobs, and could instead be run off during the day, which might make things easier if your time window and/or storage are tight. Whether or not you want to backup the updates as well as the database and other configuration is up to you really; if it's trivial to just download them again then you probably don't need to.
If you do decide to not back it up, make sure that you THOUROUGHLY document the configuration. Rebuilding the OS and the application and database software may be trivial, but unless you've got the configuration back right then you haven't really recovered.
What you're saying re: rebuilding the WSUS server is correct (though if the update URL for the replacement WSUS server is the same as the failed WSUS server no changes to the client configuration re: Group Policy, registry settings, etc, would be necessary).
Whether or not to backup the WSUS database is really just a tradeoff of time to download versus usage of your backup resources (space, time in the backup window). It's typically pretty small, so I'd go head and grab it somewhat regularly.
How much work would it be to set it up again?
How much effort/cost is involved in backing it up?
If the work to set it up is going to cost less than the cost of backing it up, you have an answer.
I just take a ghost image of ours once a quarter.. a few months of patches is small potatoes in the scheme of things.. but I also force it to use the proxy anyway, so in the event it does die, I can still load most of them locally through that.. (our proxy has a LARGE cache, 100GB)
Cheers for reminding me, I'm adding a scheduled task so I don't forget next quarter and am backing it up now!
It is always a good idea to have a backup of any server.
The pain of having to set wsus up again and then mash all the machines into it is far greater then the 30 seconds that is required to set up some kind of backup on the machine.
Run a daily dump of the DB / System to either just a simple external volume or if you have an internal backup infrastructure dump it there.
IMO no, the time/hassle to rebuild a WSUS server is negligable, and it's not a time-critical item that kills you when it's down.
If you wany to mitigate the hassle as much as possible, setup client-side targeting via group policy for your workstations/servers. This'll reduce your overall WSUS management overhead as well as making a rebuild pain-free.
When you factor in the cost of a SQL backup CAL, or setting it up/maintaining it via a manual method, I really can't find a strong argument to back it up.