none
WSUS GPO Help

    Question

  • Hi,

    I need advice please on creating a GPO for WSUS to tell clients at sites to now pick up their updates from the new wsus site servers. SO if London the clients will pick up from the London wsus servers and Glasgow picks up from Glasgow site server etc. We had the one central WSUS server that did all sites from our main data centre that just picked up updates straight from Microsoft. We have now created a new WSUS server in our DMZ that just downloads the updates to the central server and from there it will distribute the updates to the sites servers and the clients need to now pick them up from the site servers. the site servers are set to replicate from the central server.

    What would be the best way to achieve this?

    Wednesday, December 16, 2015 11:12 AM

Answers

  • Assuming that the London computers are in an OU named "London", and, the Glasgow computers are in a different OU named "Glasgow", you can create two GPOs (one for each).

    The London GPO would specify the London WSUS servername. Link that London-WSUS GPO to the London OU.
    The Glasgow GPO would specify the Glasgow WSUS servername. Link that Glasgow-WSUS GPO to the Glasgow OU.

    There are other ways to do this, e.g. if you have control of DNS, and, you have clients who are mobile across sites, you can do some trickery with netmask ordering and/or similar things with DNS, where you would have a type of "go to the nearest server" kind of arrangement.

    There are also other options where you might have the computers get their approvals from your WSUS but get the update files from Microsoft directly - it depends how your WAN/Internet/network is setup, and, how mobile your client computers are, and, how much control you have to have over update-management.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, December 16, 2015 11:29 AM

All replies

  • Hello,

    If I understood you correctly, you have one WSUS server in each site now?

    If yes, you need to configure: one GPO policy for each AD site that contains appropriate WSUS server's address and point these policies to the AD sites.


    My LinkedIn profile

    Wednesday, December 16, 2015 11:24 AM
  • Assuming that the London computers are in an OU named "London", and, the Glasgow computers are in a different OU named "Glasgow", you can create two GPOs (one for each).

    The London GPO would specify the London WSUS servername. Link that London-WSUS GPO to the London OU.
    The Glasgow GPO would specify the Glasgow WSUS servername. Link that Glasgow-WSUS GPO to the Glasgow OU.

    There are other ways to do this, e.g. if you have control of DNS, and, you have clients who are mobile across sites, you can do some trickery with netmask ordering and/or similar things with DNS, where you would have a type of "go to the nearest server" kind of arrangement.

    There are also other options where you might have the computers get their approvals from your WSUS but get the update files from Microsoft directly - it depends how your WAN/Internet/network is setup, and, how mobile your client computers are, and, how much control you have to have over update-management.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, December 16, 2015 11:29 AM