WSUS 3.0 Client Configuration

I need to set up the following distributed management configuration:
1 WSUS Active Software Update Point Server (ASUP)
5 WSUS Downstream Servers

The ASUP Server is located in our main office, where our global Internet connection is located, all other 5 offices are connected to the main/central office via MPLS network links, hence the 5 Downstream servers.
We have Windows 2003 Active Directory in place.

As far as the server installation and configuration goes, the installation wizard is pretty straight forward, but Im stuck trying to add the first WinXPSP2 client to one of the downstream servers.

Can you please provide me with detail instructions as to how can I direct WinXP clients to get the Microsoft updates from the local downstream WSUS server rather than the Microsoft Update site?

If your advice is to user GPOs please be very specific with the steps I should follow.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Here you go:

You will need to have different GPOs for the different downstream servers and might will need to have different OUs as well (most likely)
You will need to use multiple GPOs for each site. Undoubtedly the easiest method is to use the Group Policy Management Console to view the list of all your sites. You can then create a GPO object for every site you have, and configure the site's local WSUS server in that GPO. GPOs will then be applied to the site as defined by the subnets in AD Sites and Services.

You will need to configure the option which specifies something to the effect of "Intranet location to retrieve updates from" with the address of the WSUS server. You will also need the "Configure Automatic Updates" setting enabled and configured appropriately, and it is a good idea to use grouping by Client Side Targeting in the GPO as opposed to grouping computers in WSUS manually.
GPO is the only way that I know of to redirect clients to your WSUS servers.  I would create a new GPO and under Computer Configuration right click Administrative Templates and select Add\Remove Template.  The template you want to add is wuau.adm which should be found in the Windows\inf directory.  This will add more options to the Windows Update settings under Computer Configuration > Administrative Templates > Windows Components.  

The option you want to look for is "Specify intranet Microsoft update service location."  You would enable this policy and in both fields fill in http://yourservername.  I would suggest looking at the other policies under Windows Update such as scheduling the updates specifying WSUS computer groups.  Setting the group is under "Enable client-side targeting."  For this option to work you would have to go into the WSUS console and go to Options > Computers and set "Use Group Policy or Registry..."  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

camilorgpAuthor Commented:
Hello ngailfus,

I just finish the configuration of a GPO for a group of clients. How can I make sure that these clients are in fact using the local WSUS and not the Windows Update?
camilorgpAuthor Commented:

For instance, I was expecting to find the lsit of the clients affected by the GPO in the WSUS Administrator under "All Computers\WinXP" where "WinXP" is a group that I created specifically for this purpose. But unfortunately I'm not seeing any of the clients affected by the GPO in any of the groups under "All Computers" in the WSUS Administrator tool. How long should I wait for this list to be populated???
You should start slowly seeing computers as they refresh their policy and report to the WSUS server.  One   way to test would be to go to one of the computers that should be getting the policy.  Go to the command line and type "gpupdate /force" and once that's complete, reboot the machine.  It should see the new policy and appear in the WSUS interface.  If you don't see it, a way to verify that GPOs are being applied is the command gpresult.  Running that on the client will let you see what GPOs are being applied.
camilorgpAuthor Commented:

I know this is not the original question, but for some reason the GPO I created is not being applied. I created this GPO from AD to affect only one especific OU. I check the GPO and it looks like is all right but after running gpupdate /force and rebooting, I run gpresult and my GPO does not appear on the list. Do you have any ideas as to why could this be happening?
Make sure the GPO Scope has Domain Computers in the Security Filtering.
camilorgpAuthor Commented:
I just add the 'Domain Computers" to the Scope of the policy, ran gpupdate /force and rebooted, but gpresult keeps showing only "Default Domain Policy" under "applied GPOs". And of course WSUS Administrator still not showing the computer listed.  

What information do you need in order to verify that my GPO doesn't have any errors, or to find out the reason why is not being applied?
The GPO is linked correct?
camilorgpAuthor Commented:
What do you mean? can you explain?
camilorgpAuthor Commented:
This is an snapshot of my GPMC. The only difference that I can tell with the other GPOs is that mine "Windows Software Update" has a gray lock in its icon. But I don't know what it means.
camilorgpAuthor Commented:
It turns out that I just had to wait, the GPO finally was applied sometime last night and I can now see the clients liested on my WSUS.
camilorgpAuthor Commented:
Thanks for all your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.