• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 74
  • Last Modified:

Secondary update source when WSUS is unavailable?


Is there a way that we can add a secondary update source when local WSUS is not available?

We have a selection of users who do not come into the office very often and cannot talk to the local WSUS externally.

Is there a way that in group policy we can say use Windows update if they cannot talk to WSUS?

1 Solution
Hello ThereSystem AdministratorCommented:
You can have two WSUS in network... Configured in two different GPOs.
timb551Author Commented:
Thanks, how would that help for external users?
Shaun VermaakTechnical Specialist/DeveloperCommented:
They can still check online when WSUS is not available.
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

I'd start from the question, what is it you want to address?
One option as was suggested is to have two WSUS server with one the primary while the other is a replica and the GPO will point the clients to a DNS record, updates.mydomain.com
The settings on the WSUS replica is to rollup, meaning when clients will connect to the replica, the replica will relay the client information to the primary WSUS. In this setup, the content will be duplicated and will exist on both.
Should the Primary fail, it is fairly simple to convert the replica to be the Primary which will retain all prior approved/downloaded updates.

The clients will not distinguish to which they are connecting.

Transitioning to a new WSUS on a new system is ....... subordinate the new WSUS to an existing, once it is sync UP, the new can become primary when the ... DNS records will need to be updated ahead of the transition to include the new WSUS IP in the listing.
timb551Author Commented:
Are you talking about having a WSUS open to the web?
No, using a name does not open it to the web.
instead of publishing an IP for the intranet where the WSUS server is, in your local DNS create a record such as update.mydomain.com and point it to the IP of each of your WSUS servers. this way should you need to transition from one to a new one, you would not have the delay because you have to update the GPO to point to a new intranet server, or have the issue that some seem to use which is reuse the IP of the existing on the new limiting one's ability to have both on at the same time, to handle a seamless transition......

intranet: http://update.mydomain.com
              intranet update: http://update.mydomain.com
add a port if that it your setup
this way the client will check with DNS to determine where the WSUS server is.
THE TTL on the update record in the mydomain.com DNS section should be set to an amount of time that will allow the transition, for WSUS potentially your systems are set to check once a day, a 12 hour TTL should be fine.
timb551Author Commented:
I have just created a second group policy for the users who dont come into the office much and set them to go direct to windows update rather than our internal wsus server.

Not perfect but will get the job done for the time being.
People who do not come into the office, do not have GPOs applied.

Using two wsus instances where one is a replica that does not save the update contents seems to be the option you are looking for where theses excluded users will check in with the replica, but retrieve the approved updates directly from Microsoft.
timb551Author Commented:
When the laptop is setup it will pick up the standard company group polices including this new one.

I will read you replica answers further to see if this is something i can do.  But didnt really want to have to have another server on the network to look after a few users that have laptops.

GPOs only apply when the system is on the LAN or if connected via VPN and the connection speed determination is faster than 500kb, slow link detection)

In the absence of a GPO applying, the laptops offsite will get their updates from ms updates.

When on the lan, they should use the local wsus to avoid saturating your wan in the event they retrieve update data while on the LAN.
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: timb551 (https:#a42467380)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now