Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

WSUS - Downstream / Replica / Clients pulling from local server and not remote question.

335 views
Skip to first unread message

tbird2340

unread,
Sep 24, 2008, 10:56:12 AM9/24/08
to
I know this will be a simple question for most..

I am setting up for the first time WSUS on our network. We have over
40 branches.. I'm thinking of the configuration I want to achieve..

I want one master WSUS server that downloads the updates from
Microsoft.. I then want to distribute those updates to branch servers
(downstream servers). Being that I want to manage it all from the
master server, these will also be replica servers..

Here is the issue.. The downstream servers are only going to be at
branches that have a large amount of workstations. The smaller
branches will just pull from the master.. We only have one OU and just
one WSUS GPO which tells all the computers to point to the master WSUS
server..

Once all the computers get added, do I connect to each branch server
via the admin console and add computers to certain groups so they will
pull from this server?

IE:

Branch A = Master Server
Branch B = Downstream / Replica Server

If I create a group named "BranchB Group" in WSUS that group name will
be replicated to all servers (but not any membership)..

I then connect to Branch B server and add workstations that are at
Branch B to the "BranchB Group" and thus they will only pull updates
from server B?

What is the easiest / best way to do what I'm trying to accomplish. I
would think this is standard practice but the guide / manual for WSUS
doesn't really specify.

Thanks

Harry Johnston [MVP]

unread,
Sep 24, 2008, 4:53:44 PM9/24/08
to
tbird2340 wrote:

> Here is the issue.. The downstream servers are only going to be at
> branches that have a large amount of workstations. The smaller
> branches will just pull from the master.. We only have one OU and just
> one WSUS GPO which tells all the computers to point to the master WSUS
> server..

> Once all the computers get added, do I connect to each branch server
> via the admin console and add computers to certain groups so they will
> pull from this server?

No, you can't do it this way. You have to configure each client to connect to
the appropriate server.

The easiest way to do this is to put the branch clients in separate OUs.

One alternative is to have multiple GPOs on a single OU and use group policy
security filtering to select the appropriate one, although this isn't
recommended as it often causes confusion later on.

It may also be possible to set up your DNS so that a single name (or alias)
points to the appropriate server from the appropriate branches. This depends on
the details of your DNS service. Or you could create a local hosts entry on
each client pointing some DNS name to the right server, although this would mean
changing the configuration on the clients if you ever needed to change the
server IP address.

Harry.

tbird2340

unread,
Sep 25, 2008, 8:47:09 AM9/25/08
to
On Sep 24, 4:53 pm, "Harry Johnston [MVP]" <ha...@scms.waikato.ac.nz>
wrote:

I also read about doing it by specify a setting in a GPO linked to the
main site and link that GPO to sites too small to have their own WSUS
server also. Use a GPO that is unique just to WSUS settings if you
have other site-specific settings. So for me it would be like this I
believe:

We currently have 4 sites created.. All of our subnets (75) are
assigned to one of those sites. We use this to assign a specific proxy
server policy..

So currently:
SiteA - Has Subnets / Branches 1-10 - Uses GPO ProxyA
SiteB - Has Subnets / Branches 11-20 - Uses GPO ProxyB
SiteC - Has Subnets / Branches 21-60 - Uses GPO ProxyC
SiteD - Has Subnets / Branches 61-75 - Uses GPO ProxyD

For the new scenario, if I have one of my branches that I want to have
it's own WSUS server I would have to create another Site and add just
that subnet to it, and then also link the correct Proxy GPO that it
was in, correct?

New Setup:
Branch5 was initially in SiteA using GPO ProxyA. I want Branch5 to
have it's own WSUS server and it's nodes to pull from the local branch
WSUS server. I create another Site (SiteD), add Branch5 subnet to it,
create a "Branch5 WSUS" GPO and assign it to it, and then also link
GPO ProxyA to that site as well?

And for the rest of the sites I create a "WSUS Master" GPO and link
them to it?

Or would be creating separate OU's be easier?

tbird2340

unread,
Sep 25, 2008, 8:52:45 AM9/25/08
to
On Sep 24, 4:53 pm, "Harry Johnston [MVP]" <ha...@scms.waikato.ac.nz>
wrote:

So for using OU's..

I can specify a Domain level GPO that points to the master WSUS server
and then create OU's for the branches in which I want to have there
own WSUS server which the clients pull from..

Then in the OU I would create it's own WSUS GPO pointing to it's local
server.

Downside of this is I would have to manually add the PC's to the OU
instead of them getting put there automatically like sites would do,
right?

Wolfgang Steger

unread,
Sep 25, 2008, 3:21:57 PM9/25/08
to
tbird2340 schrieb:
[...]

>
> So for using OU's..
>
> I can specify a Domain level GPO that points to the master WSUS server
> and then create OU's for the branches in which I want to have there
> own WSUS server which the clients pull from..
>
> Then in the OU I would create it's own WSUS GPO pointing to it's local
> server.
>
> Downside of this is I would have to manually add the PC's to the OU
> instead of them getting put there automatically like sites would do,
> right?

You would have to add the PC's to the OUs manually - bad if there are
laptops roaming around or similar...

But AFAIK you would also need a DC for every site to make the clients
recognize the sites!

Another idea (without using GPOs for Site selection): Set the site
selection setting via a boot-time batch script.

Just my 2cc, Wolfgang (no MVP)

--
ping 0x7f000001 succeeds
- where's that damned host?

Harry Johnston [MVP]

unread,
Sep 25, 2008, 4:29:57 PM9/25/08
to
tbird2340 wrote:

> I also read about doing it by specify a setting in a GPO linked to the
> main site and link that GPO to sites too small to have their own WSUS
> server also. Use a GPO that is unique just to WSUS settings if you
> have other site-specific settings.

You should be able to use site-based group policy. The main issue here is
whether or not you really want the same group policy to apply to every machine
in the site. You may, for example, want to configure servers, or machines that
are still being built, differently from the main set of clients.

What you could do is use site-based group policy to configure the "specify
intranet microsoft update service location" setting, and use OU-based group
policy to specify all the other WSUS settings. You could use "configure
automatic updates" to disable WSUS (or set it for notify only) for machines not
in the main OU, e.g., for machines under construction, and to set
download-and-notify for your server OU.

There may be other ways of setting this up; you might want to discuss with a
group policy expert.

Harry.

Lawrence Garvin

unread,
Sep 25, 2008, 8:35:39 PM9/25/08
to
For some reason my posts are not making it to the newsserver - or back to my
reader -- I'm not sure which for sure.

This is a repost of a message I posted yesterday:


"Lawrence Garvin" <lawrence@nospam> wrote in message
news:B355B009-92BF-4771...@microsoft.com...
> "tbird2340" <tbir...@gmail.com> wrote in message
> news:d1c8388e-6b76-43f4...@8g2000hse.googlegroups.com...
>
> In addition to the excellent answers that Harry has already provided...
>
>> We only have one OU . . .
>
> With "over 40 branches" I would think you'd want to seriously rethink this
> particular AD organizational structure.
>
> As Harry has suggested, you should have branch OUs to assist in this
> process, or, at a minimum, create OUs for each group of clients that will
> use the same WSUS Server.
>
> More appropriately, however, with "over 40 branches", and presumably
> remote Domain Controllers at the larger sites, you =should= be using
> Active Directory SITES to properly manage replication amongst those DCs.
>
> Site GPOs can also be used to manage WSUS Server assignments.
>
> --
> Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
> Senior Data Architect, APQC, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2008)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
>

--
Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

0 new messages