none
WSUS Servers not contacting appropriate server for Updates

    Question

  • We have 3 sites in our organization.

    Site A: 192.168.59.0/24, Site B: 192.168.60.0/24, Site C: 192.168.70.0/24

    Site A and B are in the same Geographical Location and connected by a 1GBit connection. Site C is connected over a 1MBit WAN link in another geographical location.

    Site A has 1 DC with WSUS installed. Site B has 2 DC, 1 DC has WSUS installed. Site C has 1 DC with WSUS installed.

    All servers are 2008 R2 servers. The WSUS server in site A is the Master WSUS server, and the two servers in Site B and Site C are replicas.

    I have set up DNS round robin and netmask ordering for the WSUS servers, which is working fine. All the clients in their respective sites / subnets are contacting the appropriate WSUS server for the site / subnet.

    The issue is with the server themselves. The WSUS server in Site C sometimes contacts the WSUS server in Site A or B. This means downloading updates over a 1Mbit WAN link, rather than from itself! The same happens with the other two WSUS servers in the other sites, and the 1 DC without WSUS. Only the domain controllers are contacting WSUS servers outside their subnet, not other servers that have statically assigned addresses. (e.g. SQL...).

    AD sites and services has been configured correctly i.e. appropriate subnets configured and assigned to the appropriate site. The correct servers are showing in the appropriate sites.

    IPv6 is enabled in our environment. Is the issue related to the fact the servers are looking in DNS via IPv6? If so, how do I create the appropriate AAAA record for WSUS in DNS? And why is it just the domain controllers that this is occurring?

    Saturday, June 22, 2013 5:33 AM

Answers

  • The issue is with the server themselves. The WSUS server in Site C sometimes contacts the WSUS server in Site A or B. This means downloading updates over a 1Mbit WAN link, rather than from itself!.

    Either there's more to this story that I'm not getting, or I'm really confused. Of course the WSUS Servers in Site C and Site B are going to contact the WSUS Server in Site A .. they're downstream replica servers! They have to contact the server in Site A in order to synchronize updates and get update installation files.

    But, I think perhaps the question here is about the Windows Update Agent on the Windows Server hosting the DC and WSUS, and not about WSUS itself, and so the answer to this question depends on how exactly you have configured the DNS naming scheme for these WSUS Servers and which IP Address is being resolved at which time.

    Consider these two items:

    • The Downstream Replica WSUS Server at Site B and Site C needs to be able to resolve the hostname of the Upstream WSUS server to the IP Address in Site A ... 100% of the time.
    • The Windows Update Agent on the DC/WSUS Server at Site B and Site C needs to be able to resolve the hostname of the assigned WSUS Server to the LOCAL IP Address ... 100% of the time.

    So, the first questions are these:

    • What is the hostname defined for the upstream server in each of the Site B and Site C downstream replica server configurations?
    • What is the hostname defined for the assigned WSUS Server in the WUAgent configuration for those two machines?
    • What is the alias you defined in DNS to implement DNS Round Robin?
    • What is the actual hostname of the Upstream WSUS Server in Site A?

    Regarding the IPv6 question ... if you've not configured DNSv6 records, then it would be impossible for the machine to resolve the WSUS hostname to an IPv6 address as only the IPv4 addresses are available. I don't see how this could be a contributing factor.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Sunday, June 23, 2013 2:44 PM
    Moderator
  • We have 3 sites in our organization.

    Site A: 192.168.59.0/24, Site B: 192.168.60.0/24, Site C: 192.168.70.0/24

    Site A and B are in the same Geographical Location and connected by a 1GBit connection. Site C is connected over a 1MBit WAN link in another geographical location.

    Site A has 1 DC with WSUS installed. Site B has 2 DC, 1 DC has WSUS installed. Site C has 1 DC with WSUS installed.

    All servers are 2008 R2 servers. The WSUS server in site A is the Master WSUS server, and the two servers in Site B and Site C are replicas.

    One other thing was bugging me about this, and it wasn't until I just answered the previous thread that I realized what it was. Since you have AD SITES defined, and you have DCs installed in each SITE, presumably with DNS running -- why are you using DNS Round Robin in the first place?

    All that this scenario requires is three WSUS Servers, with three unique hostnames, and a SITE-BASED GPO that assigns the WSUS server to the members of that SITE, e.g. WSUS-A, WSUS-B, WSUS-C -- the Windows Update Agent gets it's assignment according to the SITE it is physically present in, and on the downstream replica servers, the UPSTREAM server will always be WSUS-A.

    Problem solved. Only **mobile** clients need DNS Round Robin, and even then, only if Active Directory SITES have not been defined and it's necessary to rely on the current IP Network/Subnet Mask. But since you already have the AD SITES defined, you just need SITE-specific GPOs.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Sunday, June 23, 2013 2:59 PM
    Moderator

All replies

  • The issue is with the server themselves. The WSUS server in Site C sometimes contacts the WSUS server in Site A or B. This means downloading updates over a 1Mbit WAN link, rather than from itself!.

    Either there's more to this story that I'm not getting, or I'm really confused. Of course the WSUS Servers in Site C and Site B are going to contact the WSUS Server in Site A .. they're downstream replica servers! They have to contact the server in Site A in order to synchronize updates and get update installation files.

    But, I think perhaps the question here is about the Windows Update Agent on the Windows Server hosting the DC and WSUS, and not about WSUS itself, and so the answer to this question depends on how exactly you have configured the DNS naming scheme for these WSUS Servers and which IP Address is being resolved at which time.

    Consider these two items:

    • The Downstream Replica WSUS Server at Site B and Site C needs to be able to resolve the hostname of the Upstream WSUS server to the IP Address in Site A ... 100% of the time.
    • The Windows Update Agent on the DC/WSUS Server at Site B and Site C needs to be able to resolve the hostname of the assigned WSUS Server to the LOCAL IP Address ... 100% of the time.

    So, the first questions are these:

    • What is the hostname defined for the upstream server in each of the Site B and Site C downstream replica server configurations?
    • What is the hostname defined for the assigned WSUS Server in the WUAgent configuration for those two machines?
    • What is the alias you defined in DNS to implement DNS Round Robin?
    • What is the actual hostname of the Upstream WSUS Server in Site A?

    Regarding the IPv6 question ... if you've not configured DNSv6 records, then it would be impossible for the machine to resolve the WSUS hostname to an IPv6 address as only the IPv4 addresses are available. I don't see how this could be a contributing factor.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Sunday, June 23, 2013 2:44 PM
    Moderator
  • We have 3 sites in our organization.

    Site A: 192.168.59.0/24, Site B: 192.168.60.0/24, Site C: 192.168.70.0/24

    Site A and B are in the same Geographical Location and connected by a 1GBit connection. Site C is connected over a 1MBit WAN link in another geographical location.

    Site A has 1 DC with WSUS installed. Site B has 2 DC, 1 DC has WSUS installed. Site C has 1 DC with WSUS installed.

    All servers are 2008 R2 servers. The WSUS server in site A is the Master WSUS server, and the two servers in Site B and Site C are replicas.

    One other thing was bugging me about this, and it wasn't until I just answered the previous thread that I realized what it was. Since you have AD SITES defined, and you have DCs installed in each SITE, presumably with DNS running -- why are you using DNS Round Robin in the first place?

    All that this scenario requires is three WSUS Servers, with three unique hostnames, and a SITE-BASED GPO that assigns the WSUS server to the members of that SITE, e.g. WSUS-A, WSUS-B, WSUS-C -- the Windows Update Agent gets it's assignment according to the SITE it is physically present in, and on the downstream replica servers, the UPSTREAM server will always be WSUS-A.

    Problem solved. Only **mobile** clients need DNS Round Robin, and even then, only if Active Directory SITES have not been defined and it's necessary to rely on the current IP Network/Subnet Mask. But since you already have the AD SITES defined, you just need SITE-specific GPOs.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Sunday, June 23, 2013 2:59 PM
    Moderator