Solved

DNS net masking & round robin query and WSUS

Posted on 2014-04-20
12
802 Views
Last Modified: 2014-04-20
Hi all, i have a query re round robin and net masking. Below is the  example config of how a record is set up. The sites below are split geographically and have varying connection speeds. On occasion when i ping wsus.company.com on the local lan i will get a reply from one of the other subnets. Im guessing that if the clients on the other sites report to a WSUS server on another subnet it will pull the updates from there. Is this correct? And if so what can be done if anything to correct this.

Thanks in advance

wsus.company.com

10.68.30.x
10.68.20.x
10.67.40.x
10.67.10.x
10.69.50.x
10.69.60.x
0
Comment
Question by:cwstad2
  • 6
  • 4
  • 2
12 Comments
 
LVL 26

Expert Comment

by:skullnobrains
ID: 40011362
Im guessing that if the clients on the other sites report to a WSUS server on another subnet it will pull the updates from there. Is this correct?

yes

as far as solving the problem, if each subnet has dedicated dns servers, it could be done easily by sticking different addresses. if not you should not use round robin and rely on subnet prioritization

http://technet.microsoft.com/en-us/library/cc961422.aspx

basically, in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\DNS\Parameters\
add a dword LocalNetPriority with value 1
you can disable round-robin from the same location

unfortunately, these settings are server-wide, so if you need round-robin for other reasons, microsoft's dns can't help you.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011367
Hi thanks for your reply.  
if each subnet has dedicated dns servers, it could be done easily by sticking different addresses
Each site has its own DNS server and each of the WSUS servers have an A record assosciated with it.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 40011421
then you can setup the proper wsus address in each lan's dns instead of all the addresses. ideally you would setup the local wsus and a backup without round-robin so as to have failover, but it is overkill if you need more than a few minutes to get it to work as expected.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011426
I think this is where the issue arises. So to keep group policy to a mimimum the Specify intranet Microsoft update service location in WSUS is set to http://WindowsUpdate that then picks up one of the IP addresses of the other servers based on the A record. Or am i missing what you have said
then you can setup the proper wsus address in each lan's dns instead of all the addresses
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 40011508
i'm the one who does not understand, now.

we're talking about clients selecting the proper wsus server. this has no relation with windowsupdate. you can chain wsus servers if you want but the config of the servers is quite beyond the scope of this question. there is no gain bandwidth-wise to use anything other than windowsupdate.com so you should not change this setting unless you have another reason to do so.

my understanding is that you already configured wsus.yourcompany.com as the update server used by the clients, and you want each client to connect to the local server rather than selecting one of them randomly

in order to achieve this, you need to either


change your gpo so clients use different servers (example 10.wsus.yourcompany.com , 20.wsus.yourcompany.com rather than just wsus.yourcompany.com) and configure those addresses to each point to the wsus server of each facility

make sure wsus.yourcompany.com resolves to the local server aka when a client in the 10.68.30.x network sends the query, the server responds with the address in the 10.68.30.x network first. this is what i was answering to until now
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011551
Hi thanks for your reply. I think you have confirmed what i was thinking in relation to the GPO's. I have 4 GPOs at the moment, to administer the updates via 6 replica WSUS servers. If im unable to remove round robin, and the 10.wsus.yourcompany.com etc etc, then i will have to create 4 GPO's for each server? I was just curious if there was something smart that i could do in DNS to get around the issue. Thanks for your time
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 26

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 40011640
i'd assume the address of the server is in a single gpo and the other 3 could be shared but you probably know better

as far as dns is concerned, i already answered in my first post. unless there is something unclear, there is nothing useful i could add. if you cannot remove the round-robin, and want to do it in dns, you'll have to use another dns server than microsoft's (or rather a tiny forwarder) that can do network preference. likely this will be as complicated as setting up multiple gpos. what else do you need round-robin for ?

another idea could be to create entries in the host files of the computers rather than relying on the dns. this can be done with a few lines script deployed through a GPO. it's quite dirty but might be a workable solution

i forgot that if you have different dns suffixes in each office, you'd be able to do that quite easily, but you'd probably would not be posting if that were the case
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011645
I will check re the round robin. Interesting idea for the hosts entry, i think i will give that a try. I really appreciate the time and effort you have put into the replies. Thanks again
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40011648
Disabling round robin will create another issues

Instead of using wsus.domain.com in WSUS GPO, simply put local IP address of respective WSUS server in respective GPO
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011655
Hi Maesh, im trying to minimise the number of GPO's i have 4 currently. If i put the IP in the GPO then i will have to times the number of GPO's by the number of downstream servers. Is that correct?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40011659
The GPO count should be equal to number of WSUS servers you wanted to use
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011663
I have this question open. please post  there so i can assign you points. you've helped me a lot this week

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_28415445.html
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now