Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

WSUS GPO: Specify intranet Microsoft Update service location

1 view
Skip to first unread message

Bob

unread,
May 2, 2007, 2:15:02 PM5/2/07
to
How can I control which WSUS server a computer uses based upon the site they
are located at?

I see in GPMC that there is a Sites folder and I can display my three sites
within it. It looks like I can link GPO's to the site also. But I don't see
this as a valid technique to use in the document "Deploying Microsoft Windows
Server Update Services 3.0".

Instead, I read in "Appendix D: Configure WSUS for Roaming Clients" that
this should be controlled by making entires in DNS. And then the final steps
reads:

Step 5: Configure WSUS clients to use the same host name
When you set up WSUS client computers (see Update and Configure the
Automatic Updates Client), make sure to use the same host name you have set
up as the WSUS server.

So now I'm confused. Any ideas on how to control which WSUS server a client
accesses uses?

--
Bob

Florian Frommherz

unread,
May 2, 2007, 2:27:35 PM5/2/07
to
Howdie Bob!

Bob wrote:
> I see in GPMC that there is a Sites folder and I can display my three sites
> within it. It looks like I can link GPO's to the site also. But I don't see
> this as a valid technique to use in the document "Deploying Microsoft Windows
> Server Update Services 3.0".

When you have multiple sites with multiple WSUS servers, you can simply
create multiple GPOs (one for each site) and set the "Specify intranet
Microsoft Update service location" option to the site's WSUS's server
name. That should work out well.
You don't need to mess around with the client's DNS settings as they
should work well anyway if they can contact a Domain Controller and pick
up Group Policy.

cheers,

Florian
--
Nachwuchsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.

Bob

unread,
May 2, 2007, 2:45:02 PM5/2/07
to
Howdie back Florian!

To be clear:
1) Using GPMC, link a unique WSUS GPO to each site and set the setting
"Specify intranet Microsoft update service location" to point to the sites
respective WSUS server. This will work for both workstations and Domain
Controllers at that site?

2) If the above is true, then I should not have any other WSUS GPOs linked
at the "Domain Controllers" or "Computers" OU's (like I used to do when I had
only one site).

How can I confirm what site the the workstation is actually associated with?
All I know how to do is query "set locations" at the workstation cmd prompt.
But that only tells me which server it last authenticated with.

p.s. If you can't guess, I've never used the "Sites" container in GPMC
before, so I want to make sure I understand it.

Thanks!
--
Bob

Jack Doyle

unread,
May 2, 2007, 3:09:27 PM5/2/07
to
When you configured Sites and Services in Active Directory, you
associated subnets with sites. Your computer will automatically be
assigned to the correct site when it logs in based on the subnet that
it is part of.

You don't technically assign computers to sites... it is dynamic.

Regards,
Jack Doyle, Systems Engineer
ScriptLogic Corporation
http://www.scriptlogic.com

Bob

unread,
May 2, 2007, 3:23:02 PM5/2/07
to
Thanks Jack,
That part I understood, although I found out the hard way that DFS uses the
IP address of the DC rather than what site container the DC is in. But that's
another story. :-(

Well it seems simple enough, so I'll give it a try. Thanks!

--
Bob

Bob

unread,
May 2, 2007, 3:25:15 PM5/2/07
to
One thing I'm afraid of however:

If the site is down, the workstation will naturally log onto the next
closest site. I'm thinking when that happens, the workstation will now become
a memeber of two WSUS servers. I don't know if this is necessarily a bad
thing, but I'm thinking I'd like to prevent that if possible.
--
Bob

Jack Doyle

unread,
May 2, 2007, 3:34:33 PM5/2/07
to
No problem, Bob. Good luck.

--

kj

unread,
May 2, 2007, 5:53:37 PM5/2/07
to
Bob wrote:
> One thing I'm afraid of however:
>
> If the site is down, the workstation will naturally log onto the next
> closest site. I'm thinking when that happens, the workstation will
> now become a memeber of two WSUS servers. I don't know if this is
> necessarily a bad thing, but I'm thinking I'd like to prevent that if
> possible.

Yes, it will. Consider setting up all your WSUS servers with the same
computer groups and using client side targeted groups in your WSUS group
policy. That way no matter what site they pop up on, they'll target
themselfs to the correct WSUS computer group.
--
/kj


Roger Abell [MVP]

unread,
May 3, 2007, 4:20:58 AM5/3/07
to
I don't quite know what you mean by "the site is down".
If the workstation is using an IP in one of that site's subnets,
it will be controlled by the site-linked GPO for that site.
Whether the DC of that site is down, or the WSUS of that
site is down is another matter. The client will still find a
DC and get the site-linked GPO for the IP it is using (the
site it is in). If that means its site-local WSUS is down
then that means it will not be updating with its WSUS.
You can use DNS to have more than one machine's IP
returned when the site's WSUS hostname is resolved.

"Bob" <86c6c2e6-...@news.postalias> wrote in message
news:A2E5341F-EA9A-4AEC...@microsoft.com...

Jack Doyle

unread,
May 3, 2007, 8:43:48 AM5/3/07
to
Roger is correct. If the DC in that site is down, another DC will be
contacted. However, even the other DC knows about all of the other
sites' linked Group Policies as well as which site the client is in. He
will apply the client's correct Group Policy. In this case, it is not
likely the same GPOs that that domain controller is typically applying,
but, the correct ones in this case.

--

Bob

unread,
May 11, 2007, 2:11:04 PM5/11/07
to
Okay, thanks all. I think I understand it now!
--
Bob
0 new messages