timb551
asked on
Secondary update source when WSUS is unavailable?
Hi,
Is there a way that we can add a secondary update source when local WSUS is not available?
We have a selection of users who do not come into the office very often and cannot talk to the local WSUS externally.
Is there a way that in group policy we can say use Windows update if they cannot talk to WSUS?
thanks
Is there a way that we can add a secondary update source when local WSUS is not available?
We have a selection of users who do not come into the office very often and cannot talk to the local WSUS externally.
Is there a way that in group policy we can say use Windows update if they cannot talk to WSUS?
thanks
You can have two WSUS in network... Configured in two different GPOs.
ASKER
Thanks, how would that help for external users?
They can still check online when WSUS is not available.
I'd start from the question, what is it you want to address?
One option as was suggested is to have two WSUS server with one the primary while the other is a replica and the GPO will point the clients to a DNS record, updates.mydomain.com
The settings on the WSUS replica is to rollup, meaning when clients will connect to the replica, the replica will relay the client information to the primary WSUS. In this setup, the content will be duplicated and will exist on both.
Should the Primary fail, it is fairly simple to convert the replica to be the Primary which will retain all prior approved/downloaded updates.
The clients will not distinguish to which they are connecting.
Transitioning to a new WSUS on a new system is ....... subordinate the new WSUS to an existing, once it is sync UP, the new can become primary when the ... DNS records will need to be updated ahead of the transition to include the new WSUS IP in the listing.
One option as was suggested is to have two WSUS server with one the primary while the other is a replica and the GPO will point the clients to a DNS record, updates.mydomain.com
The settings on the WSUS replica is to rollup, meaning when clients will connect to the replica, the replica will relay the client information to the primary WSUS. In this setup, the content will be duplicated and will exist on both.
Should the Primary fail, it is fairly simple to convert the replica to be the Primary which will retain all prior approved/downloaded updates.
The clients will not distinguish to which they are connecting.
Transitioning to a new WSUS on a new system is ....... subordinate the new WSUS to an existing, once it is sync UP, the new can become primary when the ... DNS records will need to be updated ahead of the transition to include the new WSUS IP in the listing.
ASKER
Are you talking about having a WSUS open to the web?
No, using a name does not open it to the web.
instead of publishing an IP for the intranet where the WSUS server is, in your local DNS create a record such as update.mydomain.com and point it to the IP of each of your WSUS servers. this way should you need to transition from one to a new one, you would not have the delay because you have to update the GPO to point to a new intranet server, or have the issue that some seem to use which is reuse the IP of the existing on the new limiting one's ability to have both on at the same time, to handle a seamless transition......
intranet: http://update.mydomain.com
intranet update: http://update.mydomain.com
add a port if that it your setup
this way the client will check with DNS to determine where the WSUS server is.
THE TTL on the update record in the mydomain.com DNS section should be set to an amount of time that will allow the transition, for WSUS potentially your systems are set to check once a day, a 12 hour TTL should be fine.
instead of publishing an IP for the intranet where the WSUS server is, in your local DNS create a record such as update.mydomain.com and point it to the IP of each of your WSUS servers. this way should you need to transition from one to a new one, you would not have the delay because you have to update the GPO to point to a new intranet server, or have the issue that some seem to use which is reuse the IP of the existing on the new limiting one's ability to have both on at the same time, to handle a seamless transition......
intranet: http://update.mydomain.com
intranet update: http://update.mydomain.com
add a port if that it your setup
this way the client will check with DNS to determine where the WSUS server is.
THE TTL on the update record in the mydomain.com DNS section should be set to an amount of time that will allow the transition, for WSUS potentially your systems are set to check once a day, a 12 hour TTL should be fine.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
People who do not come into the office, do not have GPOs applied.
Using two wsus instances where one is a replica that does not save the update contents seems to be the option you are looking for where theses excluded users will check in with the replica, but retrieve the approved updates directly from Microsoft.
Using two wsus instances where one is a replica that does not save the update contents seems to be the option you are looking for where theses excluded users will check in with the replica, but retrieve the approved updates directly from Microsoft.
ASKER
When the laptop is setup it will pick up the standard company group polices including this new one.
I will read you replica answers further to see if this is something i can do. But didnt really want to have to have another server on the network to look after a few users that have laptops.
thanks
I will read you replica answers further to see if this is something i can do. But didnt really want to have to have another server on the network to look after a few users that have laptops.
thanks
GPOs only apply when the system is on the LAN or if connected via VPN and the connection speed determination is faster than 500kb, slow link detection)
In the absence of a GPO applying, the laptops offsite will get their updates from ms updates.
When on the lan, they should use the local wsus to avoid saturating your wan in the event they retrieve update data while on the LAN.
In the absence of a GPO applying, the laptops offsite will get their updates from ms updates.
When on the lan, they should use the local wsus to avoid saturating your wan in the event they retrieve update data while on the LAN.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Accept: timb551 (https:#a42467380)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Accept: timb551 (https:#a42467380)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer