Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

WSUS DNS setup for upstream host and replicas

Posted on 2014-04-17
24
Medium Priority
?
897 Views
Last Modified: 2014-04-21
Hi all, we have a set whereby we have one upstream server and multiples replicas. I have a question re the DNS set up. Currently there are multiple IP entries that point to the WSUS server. These sites are based at different geographical locations. Is this the best way or to configure, or is there a better way? It looks as though some of the PC'a on one site are poiting to a WSUS server on another site
0
Comment
Question by:cwstad2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 8
  • 2
  • +1
24 Comments
 
LVL 20

Assisted Solution

by:Peter Hutchison
Peter Hutchison earned 300 total points
ID: 40008431
What you would do is use GRoup Policies to configure Windows Updates to computer objects in different OUs. There you can specify different URLs to different WSUS servers for each site.

See COmputer COnfiguration, Windows Components, Windows Settings and configure
'Specify intranet Microsoft update service location' to point to different WSUS servers.
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 300 total points
ID: 40008734
In addition to above, you should have the "'Specify intranet Microsoft update service location" point to the "IP Address"  for each site.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40008787
Thanks guys, does that mean i will have to have a separate GPO for each site?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40008880
Yes, you *MUST* if you want your client pcs to point to replica's. That is the only way.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40008888
That will complcate things but thank you for the info. much appreciated
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40010067
Do you creae different GPO's for each site guys. So if for example i have 10 replica servers and 4 different patch deployment policies, does that mean i would need to create 40 individual GPO's?
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011328
Hi i read this on a microsoft forum, this is what is set up currently but is different to your suggestion. Thanks for your help

Non-centralized architectures can better route clients through DNS Netmask ordering
Microsoft DNS Round Robin will first provide an IP address in the same subnet as the requestor
If no IP exists in the same subnet, a random IP will be selected

All WSUS hosts must respond to the same FQDN
DNS FQDN record is populated with IP addresses of all WSUS servers in the network
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011674
So if i put the ip address of the local WSUS server into the 'Specify intranet Microsoft update service location of the GPO then i will have to have a separate GPO for each of the replica servers. So if i had 4 original GPO's with a different install schedules, and 10 downstream servers. I would have to create 40 GPO's?
0
 
LVL 38

Assisted Solution

by:Mahesh
Mahesh earned 1400 total points
ID: 40011688
Create WSUS GPOs equal to WSUS servers IP addresses you wanted to use.
The better option in both questions \ case is to define IP address in each GPO instead of multiple DNS host names

Just to clarify, Also you don't have to create 40 GPOs

If you are using client side targeting in WSUS GPO so that clients can automatically get in to respective WSUS computers group, then create wsus computer group representing for each IP address and link these GPOs to multiple OUs as required

Now computers in every OU under scope of same GPO will get collected to one WSUS group on WSUS server

Mahesh.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011723
I think i must be missing something here.  So if i have the downstream servers listed below and i alter the Specify intranet Microsoft update service location by entering one of the IP's. How possibly can i only have the same number of GPO's that i had originally (4) if i need to point the GPO to the local IP address of the downstream server on that subnet

wsus.company.com

10.68.30.x
10.68.20.x
10.67.40.x
10.67.10.x
10.69.50.x
10.69.60.x

GPO's
WSUS
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40011731
I don't see any way for that, either you need to reduce WSUS servers to 4 only or you need to increase GPO count equal to number of IP addresses
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011732
Thanks, i thought i was going mad ;') They are in different geographical locations hence the need for the  downstream replica servers on each of the sites. I have 4 different restart schedule GPO's and i dont really want to create a each of those on each site as there will be a large number of GPO's. Can i ask how do you manage multi site with multiple downstream servers. Your time is greatly appreciated
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40011757
1st you need to decide which site reports to which downstream server

Then create one GPO per downstream server and then latch\link respective GPO to all respective sites (OU) who reports to particular downstream server

Note that if you have one downstream server per site, then you must create one GPO per site,
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40012104
Ok thanks to summarise. Create one new GPO per site.  Use the IP address of the local WSUS server and enter that into the GPO Specify intranet Microsoft update service location. Do i have to disable or not configure the Specify intranet Microsoft update service location on all of the other Tier GPO's?
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40012109
You have to configure this options in every GPO for respective site WSUS servers, you simply cannot skip that

What you can do, you can apply same policy to multiple sites \ OUs if you wants that they should communicate with same update server

Mahesh.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40012136
Morning / Afternoon Maresh. So for download server 10.68.30.x. I would have to change all 4 tier GPO's and enter that IP address? Or do i just let group policy inhertiance take care of it. And only make the chnages as below

NY
NY GPO
Tier
London Tiers
London GPO
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40012271
You have applied all the GPOs to same OU, not sure what is your requirement

This will not suffice your requirement

You need to apply only one GPO per location (Local wsus server)
Ex:
London Ou will have one GPo pointing to london local wsus server
newyork OU will have one GPO pointing to newyork local wsus server

Also in screen shots I see london and newyork servers are placed in same subnet, are they be in same segment and datacenter
In that case why you require multiple servers ?

Mahesh.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40012277
This is just an example on test system. This is where im not following. Can i not have 4 Tier GPO's in total and apply them to any OU as long as the WSUS London GPO is appied and inherited. Or will i have to create 4 new tier GPO's for each site? Thanks
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40012283
Ok

Yes, You can apply same GPO on multiple OUs \ top level OU so that its settings will get inherited by downlevel OUs in the hierarchy

But you should not apply london GPo to NY OU as it will defeat use of local WSUS server purpose

Not sure where is the confusion...

You need to create multiple GPOs , one resemble to each IP
On every site apply only one GPo intended for that site
Now all sub OUs in that OU will get settings from that GPO only

Not sure why you stick to 4 GPOs only when you have 10+ WSUS servers if i am not wrong..

You need to create one GPO for every WSUS server

Mahesh.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40012292
Thats great, I think we are there. I tested on my system and the windowsupdate.log showed the correct IP address for the WSUS server. I will create the 10 GPO's with the IP address of the local WSUS servers. I will then apply the 4 Tier GPO's to the same OU as the WSUS loction GPO. The 4 tiers have different scheduled times for differnt download and install.  Appreciate the help.
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 1400 total points
ID: 40012319
Ok got it
But still i don't see any requirements for 4 tier GPO
Only single GPO would required per OU

WSUS server will not be able to identify multiple GPOs to seperate updates for different download and install options

Once you approved update it will be simply downloaded from internet \ upstream WSUS server and get pushed to client computers

Mahesh.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40012322
I've been testing the system by putting the computers in to security groups
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40012353
Ok
Now got it
So you using GPO security filtering feature

Good Luck
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40012360
That's the plan. I know it's not the best way but we have limited OU's.  Thanks for your help much appreciated
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question