?
Solved

DNS net masking & round robin query and WSUS

Posted on 2014-04-20
12
Medium Priority
?
887 Views
Last Modified: 2014-04-20
Hi all, i have a query re round robin and net masking. Below is the  example config of how a record is set up. The sites below are split geographically and have varying connection speeds. On occasion when i ping wsus.company.com on the local lan i will get a reply from one of the other subnets. Im guessing that if the clients on the other sites report to a WSUS server on another subnet it will pull the updates from there. Is this correct? And if so what can be done if anything to correct this.

Thanks in advance

wsus.company.com

10.68.30.x
10.68.20.x
10.67.40.x
10.67.10.x
10.69.50.x
10.69.60.x
0
Comment
Question by:cwstad2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
12 Comments
 
LVL 27

Expert Comment

by:skullnobrains
ID: 40011362
Im guessing that if the clients on the other sites report to a WSUS server on another subnet it will pull the updates from there. Is this correct?

yes

as far as solving the problem, if each subnet has dedicated dns servers, it could be done easily by sticking different addresses. if not you should not use round robin and rely on subnet prioritization

http://technet.microsoft.com/en-us/library/cc961422.aspx

basically, in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\DNS\Parameters\
add a dword LocalNetPriority with value 1
you can disable round-robin from the same location

unfortunately, these settings are server-wide, so if you need round-robin for other reasons, microsoft's dns can't help you.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011367
Hi thanks for your reply.  
if each subnet has dedicated dns servers, it could be done easily by sticking different addresses
Each site has its own DNS server and each of the WSUS servers have an A record assosciated with it.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 40011421
then you can setup the proper wsus address in each lan's dns instead of all the addresses. ideally you would setup the local wsus and a backup without round-robin so as to have failover, but it is overkill if you need more than a few minutes to get it to work as expected.
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 15

Author Comment

by:cwstad2
ID: 40011426
I think this is where the issue arises. So to keep group policy to a mimimum the Specify intranet Microsoft update service location in WSUS is set to http://WindowsUpdate that then picks up one of the IP addresses of the other servers based on the A record. Or am i missing what you have said
then you can setup the proper wsus address in each lan's dns instead of all the addresses
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 40011508
i'm the one who does not understand, now.

we're talking about clients selecting the proper wsus server. this has no relation with windowsupdate. you can chain wsus servers if you want but the config of the servers is quite beyond the scope of this question. there is no gain bandwidth-wise to use anything other than windowsupdate.com so you should not change this setting unless you have another reason to do so.

my understanding is that you already configured wsus.yourcompany.com as the update server used by the clients, and you want each client to connect to the local server rather than selecting one of them randomly

in order to achieve this, you need to either


change your gpo so clients use different servers (example 10.wsus.yourcompany.com , 20.wsus.yourcompany.com rather than just wsus.yourcompany.com) and configure those addresses to each point to the wsus server of each facility

make sure wsus.yourcompany.com resolves to the local server aka when a client in the 10.68.30.x network sends the query, the server responds with the address in the 10.68.30.x network first. this is what i was answering to until now
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011551
Hi thanks for your reply. I think you have confirmed what i was thinking in relation to the GPO's. I have 4 GPOs at the moment, to administer the updates via 6 replica WSUS servers. If im unable to remove round robin, and the 10.wsus.yourcompany.com etc etc, then i will have to create 4 GPO's for each server? I was just curious if there was something smart that i could do in DNS to get around the issue. Thanks for your time
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 2000 total points
ID: 40011640
i'd assume the address of the server is in a single gpo and the other 3 could be shared but you probably know better

as far as dns is concerned, i already answered in my first post. unless there is something unclear, there is nothing useful i could add. if you cannot remove the round-robin, and want to do it in dns, you'll have to use another dns server than microsoft's (or rather a tiny forwarder) that can do network preference. likely this will be as complicated as setting up multiple gpos. what else do you need round-robin for ?

another idea could be to create entries in the host files of the computers rather than relying on the dns. this can be done with a few lines script deployed through a GPO. it's quite dirty but might be a workable solution

i forgot that if you have different dns suffixes in each office, you'd be able to do that quite easily, but you'd probably would not be posting if that were the case
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011645
I will check re the round robin. Interesting idea for the hosts entry, i think i will give that a try. I really appreciate the time and effort you have put into the replies. Thanks again
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40011648
Disabling round robin will create another issues

Instead of using wsus.domain.com in WSUS GPO, simply put local IP address of respective WSUS server in respective GPO
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011655
Hi Maesh, im trying to minimise the number of GPO's i have 4 currently. If i put the IP in the GPO then i will have to times the number of GPO's by the number of downstream servers. Is that correct?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40011659
The GPO count should be equal to number of WSUS servers you wanted to use
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011663
I have this question open. please post  there so i can assign you points. you've helped me a lot this week

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_28415445.html
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question