cwstad2
asked on
WSUS DNS setup for upstream host and replicas
Hi all, we have a set whereby we have one upstream server and multiples replicas. I have a question re the DNS set up. Currently there are multiple IP entries that point to the WSUS server. These sites are based at different geographical locations. Is this the best way or to configure, or is there a better way? It looks as though some of the PC'a on one site are poiting to a WSUS server on another site
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, you *MUST* if you want your client pcs to point to replica's. That is the only way.
ASKER
That will complcate things but thank you for the info. much appreciated
ASKER
Do you creae different GPO's for each site guys. So if for example i have 10 replica servers and 4 different patch deployment policies, does that mean i would need to create 40 individual GPO's?
ASKER
Hi i read this on a microsoft forum, this is what is set up currently but is different to your suggestion. Thanks for your help
Non-centralized architectures can better route clients through DNS Netmask ordering
Microsoft DNS Round Robin will first provide an IP address in the same subnet as the requestor
If no IP exists in the same subnet, a random IP will be selected
All WSUS hosts must respond to the same FQDN
DNS FQDN record is populated with IP addresses of all WSUS servers in the network
Non-centralized architectures can better route clients through DNS Netmask ordering
Microsoft DNS Round Robin will first provide an IP address in the same subnet as the requestor
If no IP exists in the same subnet, a random IP will be selected
All WSUS hosts must respond to the same FQDN
DNS FQDN record is populated with IP addresses of all WSUS servers in the network
ASKER
So if i put the ip address of the local WSUS server into the 'Specify intranet Microsoft update service location of the GPO then i will have to have a separate GPO for each of the replica servers. So if i had 4 original GPO's with a different install schedules, and 10 downstream servers. I would have to create 40 GPO's?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think i must be missing something here. So if i have the downstream servers listed below and i alter the Specify intranet Microsoft update service location by entering one of the IP's. How possibly can i only have the same number of GPO's that i had originally (4) if i need to point the GPO to the local IP address of the downstream server on that subnet
wsus.company.com
10.68.30.x
10.68.20.x
10.67.40.x
10.67.10.x
10.69.50.x
10.69.60.x
wsus.company.com
10.68.30.x
10.68.20.x
10.67.40.x
10.67.10.x
10.69.50.x
10.69.60.x
I don't see any way for that, either you need to reduce WSUS servers to 4 only or you need to increase GPO count equal to number of IP addresses
ASKER
Thanks, i thought i was going mad ;') They are in different geographical locations hence the need for the downstream replica servers on each of the sites. I have 4 different restart schedule GPO's and i dont really want to create a each of those on each site as there will be a large number of GPO's. Can i ask how do you manage multi site with multiple downstream servers. Your time is greatly appreciated
1st you need to decide which site reports to which downstream server
Then create one GPO per downstream server and then latch\link respective GPO to all respective sites (OU) who reports to particular downstream server
Note that if you have one downstream server per site, then you must create one GPO per site,
Then create one GPO per downstream server and then latch\link respective GPO to all respective sites (OU) who reports to particular downstream server
Note that if you have one downstream server per site, then you must create one GPO per site,
ASKER
Ok thanks to summarise. Create one new GPO per site. Use the IP address of the local WSUS server and enter that into the GPO Specify intranet Microsoft update service location. Do i have to disable or not configure the Specify intranet Microsoft update service location on all of the other Tier GPO's?
You have to configure this options in every GPO for respective site WSUS servers, you simply cannot skip that
What you can do, you can apply same policy to multiple sites \ OUs if you wants that they should communicate with same update server
Mahesh.
What you can do, you can apply same policy to multiple sites \ OUs if you wants that they should communicate with same update server
Mahesh.
ASKER
You have applied all the GPOs to same OU, not sure what is your requirement
This will not suffice your requirement
You need to apply only one GPO per location (Local wsus server)
Ex:
London Ou will have one GPo pointing to london local wsus server
newyork OU will have one GPO pointing to newyork local wsus server
Also in screen shots I see london and newyork servers are placed in same subnet, are they be in same segment and datacenter
In that case why you require multiple servers ?
Mahesh.
This will not suffice your requirement
You need to apply only one GPO per location (Local wsus server)
Ex:
London Ou will have one GPo pointing to london local wsus server
newyork OU will have one GPO pointing to newyork local wsus server
Also in screen shots I see london and newyork servers are placed in same subnet, are they be in same segment and datacenter
In that case why you require multiple servers ?
Mahesh.
ASKER
This is just an example on test system. This is where im not following. Can i not have 4 Tier GPO's in total and apply them to any OU as long as the WSUS London GPO is appied and inherited. Or will i have to create 4 new tier GPO's for each site? Thanks
Ok
Yes, You can apply same GPO on multiple OUs \ top level OU so that its settings will get inherited by downlevel OUs in the hierarchy
But you should not apply london GPo to NY OU as it will defeat use of local WSUS server purpose
Not sure where is the confusion...
You need to create multiple GPOs , one resemble to each IP
On every site apply only one GPo intended for that site
Now all sub OUs in that OU will get settings from that GPO only
Not sure why you stick to 4 GPOs only when you have 10+ WSUS servers if i am not wrong..
You need to create one GPO for every WSUS server
Mahesh.
Yes, You can apply same GPO on multiple OUs \ top level OU so that its settings will get inherited by downlevel OUs in the hierarchy
But you should not apply london GPo to NY OU as it will defeat use of local WSUS server purpose
Not sure where is the confusion...
You need to create multiple GPOs , one resemble to each IP
On every site apply only one GPo intended for that site
Now all sub OUs in that OU will get settings from that GPO only
Not sure why you stick to 4 GPOs only when you have 10+ WSUS servers if i am not wrong..
You need to create one GPO for every WSUS server
Mahesh.
ASKER
Thats great, I think we are there. I tested on my system and the windowsupdate.log showed the correct IP address for the WSUS server. I will create the 10 GPO's with the IP address of the local WSUS servers. I will then apply the 4 Tier GPO's to the same OU as the WSUS loction GPO. The 4 tiers have different scheduled times for differnt download and install. Appreciate the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've been testing the system by putting the computers in to security groups
Ok
Now got it
So you using GPO security filtering feature
Good Luck
Now got it
So you using GPO security filtering feature
Good Luck
ASKER
That's the plan. I know it's not the best way but we have limited OU's. Thanks for your help much appreciated
ASKER