Link to home
Start Free TrialLog in
Avatar of camilorgp
camilorgpFlag for United States of America

asked on

WSUS 3.0 Client Configuration

I need to set up the following distributed management configuration:
1 WSUS Active Software Update Point Server (ASUP)
5 WSUS Downstream Servers

The ASUP Server is located in our main office, where our global Internet connection is located, all other 5 offices are connected to the main/central office via MPLS network links, hence the 5 Downstream servers.
We have Windows 2003 Active Directory in place.

As far as the server installation and configuration goes, the installation wizard is pretty straight forward, but Im stuck trying to add the first WinXPSP2 client to one of the downstream servers.

Can you please provide me with detail instructions as to how can I direct WinXP clients to get the Microsoft updates from the local downstream WSUS server rather than the Microsoft Update site?

If your advice is to user GPOs please be very specific with the steps I should follow.
Avatar of brent_caskey
brent_caskey
Flag of United States of America image
Here you go:

http://technet2.microsoft.com/windowsserver/en/library/43bcd87f-9483-4d84-bad5-bdff68761d0d1033.mspx?mfr=true

You will need to have different GPOs for the different downstream servers and might will need to have different OUs as well (most likely)
Avatar of tigermatt
tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image
You will need to use multiple GPOs for each site. Undoubtedly the easiest method is to use the Group Policy Management Console to view the list of all your sites. You can then create a GPO object for every site you have, and configure the site's local WSUS server in that GPO. GPOs will then be applied to the site as defined by the subnets in AD Sites and Services.

You will need to configure the option which specifies something to the effect of "Intranet location to retrieve updates from" with the address of the WSUS server. You will also need the "Configure Automatic Updates" setting enabled and configured appropriately, and it is a good idea to use grouping by Client Side Targeting in the GPO as opposed to grouping computers in WSUS manually.
ASKER CERTIFIED SOLUTION
Avatar of ngailfus
ngailfus
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of camilorgp
camilorgp
Flag of United States of America image

ASKER

Hello ngailfus,

I just finish the configuration of a GPO for a group of clients. How can I make sure that these clients are in fact using the local WSUS and not the Windows Update?
Avatar of camilorgp
camilorgp
Flag of United States of America image

ASKER


For instance, I was expecting to find the lsit of the clients affected by the GPO in the WSUS Administrator under "All Computers\WinXP" where "WinXP" is a group that I created specifically for this purpose. But unfortunately I'm not seeing any of the clients affected by the GPO in any of the groups under "All Computers" in the WSUS Administrator tool. How long should I wait for this list to be populated???
Avatar of ngailfus
ngailfus
Flag of United States of America image
You should start slowly seeing computers as they refresh their policy and report to the WSUS server.  One   way to test would be to go to one of the computers that should be getting the policy.  Go to the command line and type "gpupdate /force" and once that's complete, reboot the machine.  It should see the new policy and appear in the WSUS interface.  If you don't see it, a way to verify that GPOs are being applied is the command gpresult.  Running that on the client will let you see what GPOs are being applied.
Avatar of camilorgp
camilorgp
Flag of United States of America image

ASKER


I know this is not the original question, but for some reason the GPO I created is not being applied. I created this GPO from AD to affect only one especific OU. I check the GPO and it looks like is all right but after running gpupdate /force and rebooting, I run gpresult and my GPO does not appear on the list. Do you have any ideas as to why could this be happening?
Avatar of ngailfus
ngailfus
Flag of United States of America image
Make sure the GPO Scope has Domain Computers in the Security Filtering.
Avatar of camilorgp
camilorgp
Flag of United States of America image

ASKER

I just add the 'Domain Computers" to the Scope of the policy, ran gpupdate /force and rebooted, but gpresult keeps showing only "Default Domain Policy" under "applied GPOs". And of course WSUS Administrator still not showing the computer listed.  

What information do you need in order to verify that my GPO doesn't have any errors, or to find out the reason why is not being applied?
Avatar of ngailfus
ngailfus
Flag of United States of America image
The GPO is linked correct?
Avatar of camilorgp
camilorgp
Flag of United States of America image

ASKER

What do you mean? can you explain?
Avatar of camilorgp
camilorgp
Flag of United States of America image

ASKER

This is an snapshot of my GPMC. The only difference that I can tell with the other GPOs is that mine "Windows Software Update" has a gray lock in its icon. But I don't know what it means.
GPMC.jpg
Avatar of camilorgp
camilorgp
Flag of United States of America image

ASKER

It turns out that I just had to wait, the GPO finally was applied sometime last night and I can now see the clients liested on my WSUS.
Avatar of camilorgp
camilorgp
Flag of United States of America image

ASKER

Thanks for all your help.