Solved

DNS net masking & round robin query and WSUS

Posted on 2014-04-20
12
814 Views
Last Modified: 2014-04-20
Hi all, i have a query re round robin and net masking. Below is the  example config of how a record is set up. The sites below are split geographically and have varying connection speeds. On occasion when i ping wsus.company.com on the local lan i will get a reply from one of the other subnets. Im guessing that if the clients on the other sites report to a WSUS server on another subnet it will pull the updates from there. Is this correct? And if so what can be done if anything to correct this.

Thanks in advance

wsus.company.com

10.68.30.x
10.68.20.x
10.67.40.x
10.67.10.x
10.69.50.x
10.69.60.x
0
Comment
Question by:cwstad2
  • 6
  • 4
  • 2
12 Comments
 
LVL 26

Expert Comment

by:skullnobrains
ID: 40011362
Im guessing that if the clients on the other sites report to a WSUS server on another subnet it will pull the updates from there. Is this correct?

yes

as far as solving the problem, if each subnet has dedicated dns servers, it could be done easily by sticking different addresses. if not you should not use round robin and rely on subnet prioritization

http://technet.microsoft.com/en-us/library/cc961422.aspx

basically, in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\DNS\Parameters\
add a dword LocalNetPriority with value 1
you can disable round-robin from the same location

unfortunately, these settings are server-wide, so if you need round-robin for other reasons, microsoft's dns can't help you.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011367
Hi thanks for your reply.  
if each subnet has dedicated dns servers, it could be done easily by sticking different addresses
Each site has its own DNS server and each of the WSUS servers have an A record assosciated with it.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 40011421
then you can setup the proper wsus address in each lan's dns instead of all the addresses. ideally you would setup the local wsus and a backup without round-robin so as to have failover, but it is overkill if you need more than a few minutes to get it to work as expected.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011426
I think this is where the issue arises. So to keep group policy to a mimimum the Specify intranet Microsoft update service location in WSUS is set to http://WindowsUpdate that then picks up one of the IP addresses of the other servers based on the A record. Or am i missing what you have said
then you can setup the proper wsus address in each lan's dns instead of all the addresses
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 40011508
i'm the one who does not understand, now.

we're talking about clients selecting the proper wsus server. this has no relation with windowsupdate. you can chain wsus servers if you want but the config of the servers is quite beyond the scope of this question. there is no gain bandwidth-wise to use anything other than windowsupdate.com so you should not change this setting unless you have another reason to do so.

my understanding is that you already configured wsus.yourcompany.com as the update server used by the clients, and you want each client to connect to the local server rather than selecting one of them randomly

in order to achieve this, you need to either


change your gpo so clients use different servers (example 10.wsus.yourcompany.com , 20.wsus.yourcompany.com rather than just wsus.yourcompany.com) and configure those addresses to each point to the wsus server of each facility

make sure wsus.yourcompany.com resolves to the local server aka when a client in the 10.68.30.x network sends the query, the server responds with the address in the 10.68.30.x network first. this is what i was answering to until now
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011551
Hi thanks for your reply. I think you have confirmed what i was thinking in relation to the GPO's. I have 4 GPOs at the moment, to administer the updates via 6 replica WSUS servers. If im unable to remove round robin, and the 10.wsus.yourcompany.com etc etc, then i will have to create 4 GPO's for each server? I was just curious if there was something smart that i could do in DNS to get around the issue. Thanks for your time
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 26

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 40011640
i'd assume the address of the server is in a single gpo and the other 3 could be shared but you probably know better

as far as dns is concerned, i already answered in my first post. unless there is something unclear, there is nothing useful i could add. if you cannot remove the round-robin, and want to do it in dns, you'll have to use another dns server than microsoft's (or rather a tiny forwarder) that can do network preference. likely this will be as complicated as setting up multiple gpos. what else do you need round-robin for ?

another idea could be to create entries in the host files of the computers rather than relying on the dns. this can be done with a few lines script deployed through a GPO. it's quite dirty but might be a workable solution

i forgot that if you have different dns suffixes in each office, you'd be able to do that quite easily, but you'd probably would not be posting if that were the case
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011645
I will check re the round robin. Interesting idea for the hosts entry, i think i will give that a try. I really appreciate the time and effort you have put into the replies. Thanks again
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40011648
Disabling round robin will create another issues

Instead of using wsus.domain.com in WSUS GPO, simply put local IP address of respective WSUS server in respective GPO
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011655
Hi Maesh, im trying to minimise the number of GPO's i have 4 currently. If i put the IP in the GPO then i will have to times the number of GPO's by the number of downstream servers. Is that correct?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40011659
The GPO count should be equal to number of WSUS servers you wanted to use
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40011663
I have this question open. please post  there so i can assign you points. you've helped me a lot this week

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_28415445.html
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now