Solved

DNS net masking & round robin query and WSUS

Posted on 2014-04-20
12
861 Views
Last Modified: 2014-04-20
Hi all, i have a query re round robin and net masking. Below is the  example config of how a record is set up. The sites below are split geographically and have varying connection speeds. On occasion when i ping wsus.company.com on the local lan i will get a reply from one of the other subnets. Im guessing that if the clients on the other sites report to a WSUS server on another subnet it will pull the updates from there. Is this correct? And if so what can be done if anything to correct this.

Thanks in advance

wsus.company.com

10.68.30.x
10.68.20.x
10.67.40.x
10.67.10.x
10.69.50.x
10.69.60.x
0
Comment
Question by:cwstad2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
12 Comments
 
LVL 27

Expert Comment

by:skullnobrains
ID: 40011362
Im guessing that if the clients on the other sites report to a WSUS server on another subnet it will pull the updates from there. Is this correct?

yes

as far as solving the problem, if each subnet has dedicated dns servers, it could be done easily by sticking different addresses. if not you should not use round robin and rely on subnet prioritization

http://technet.microsoft.com/en-us/library/cc961422.aspx

basically, in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\DNS\Parameters\
add a dword LocalNetPriority with value 1
you can disable round-robin from the same location

unfortunately, these settings are server-wide, so if you need round-robin for other reasons, microsoft's dns can't help you.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011367
Hi thanks for your reply.  
if each subnet has dedicated dns servers, it could be done easily by sticking different addresses
Each site has its own DNS server and each of the WSUS servers have an A record assosciated with it.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 40011421
then you can setup the proper wsus address in each lan's dns instead of all the addresses. ideally you would setup the local wsus and a backup without round-robin so as to have failover, but it is overkill if you need more than a few minutes to get it to work as expected.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 15

Author Comment

by:cwstad2
ID: 40011426
I think this is where the issue arises. So to keep group policy to a mimimum the Specify intranet Microsoft update service location in WSUS is set to http://WindowsUpdate that then picks up one of the IP addresses of the other servers based on the A record. Or am i missing what you have said
then you can setup the proper wsus address in each lan's dns instead of all the addresses
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 40011508
i'm the one who does not understand, now.

we're talking about clients selecting the proper wsus server. this has no relation with windowsupdate. you can chain wsus servers if you want but the config of the servers is quite beyond the scope of this question. there is no gain bandwidth-wise to use anything other than windowsupdate.com so you should not change this setting unless you have another reason to do so.

my understanding is that you already configured wsus.yourcompany.com as the update server used by the clients, and you want each client to connect to the local server rather than selecting one of them randomly

in order to achieve this, you need to either


change your gpo so clients use different servers (example 10.wsus.yourcompany.com , 20.wsus.yourcompany.com rather than just wsus.yourcompany.com) and configure those addresses to each point to the wsus server of each facility

make sure wsus.yourcompany.com resolves to the local server aka when a client in the 10.68.30.x network sends the query, the server responds with the address in the 10.68.30.x network first. this is what i was answering to until now
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011551
Hi thanks for your reply. I think you have confirmed what i was thinking in relation to the GPO's. I have 4 GPOs at the moment, to administer the updates via 6 replica WSUS servers. If im unable to remove round robin, and the 10.wsus.yourcompany.com etc etc, then i will have to create 4 GPO's for each server? I was just curious if there was something smart that i could do in DNS to get around the issue. Thanks for your time
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 40011640
i'd assume the address of the server is in a single gpo and the other 3 could be shared but you probably know better

as far as dns is concerned, i already answered in my first post. unless there is something unclear, there is nothing useful i could add. if you cannot remove the round-robin, and want to do it in dns, you'll have to use another dns server than microsoft's (or rather a tiny forwarder) that can do network preference. likely this will be as complicated as setting up multiple gpos. what else do you need round-robin for ?

another idea could be to create entries in the host files of the computers rather than relying on the dns. this can be done with a few lines script deployed through a GPO. it's quite dirty but might be a workable solution

i forgot that if you have different dns suffixes in each office, you'd be able to do that quite easily, but you'd probably would not be posting if that were the case
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011645
I will check re the round robin. Interesting idea for the hosts entry, i think i will give that a try. I really appreciate the time and effort you have put into the replies. Thanks again
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40011648
Disabling round robin will create another issues

Instead of using wsus.domain.com in WSUS GPO, simply put local IP address of respective WSUS server in respective GPO
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011655
Hi Maesh, im trying to minimise the number of GPO's i have 4 currently. If i put the IP in the GPO then i will have to times the number of GPO's by the number of downstream servers. Is that correct?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40011659
The GPO count should be equal to number of WSUS servers you wanted to use
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011663
I have this question open. please post  there so i can assign you points. you've helped me a lot this week

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_28415445.html
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question