3

I have four WSUS 3.0 SP2 servers that are geographically distributed. The server at our main site (we'll call it WSUS1), is the main WSUS server. All manual and auto-approvals happen here. The other three WSUS servers are replicas of this server.

Currently, we are only controlling desktop OS updates through WSUS. I would like to control server OS updates through WSUS as well. There is no need for all of these server updates to be on WSUS servers at the remote sites. The only server that would need a copy of them is WSUS1.

Is there a way to keep my current infrastructure as-is and add server OS updates only to WSUS1, even though the others are set up as replicas, or will I need to configure an additional WSUS server that's not replicated?

MDMarra
  • 100,183
  • 32
  • 195
  • 326

4 Answers4

1

Seems like the other people that answered my question either misunderstood what I was trying to do, or misunderstood what a WSUS replica is.

Either way, I ended up just making a separate WSUS server that handles updates for only my servers.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • I've looked into this also, I also concluded this was the best way to go. +1 – Jacob Jan 24 '12 at 23:08
  • I'm really very curious why someone downvoted this. If someone that actually understands the question has a better answer, I'm all ears. – MDMarra Mar 02 '12 at 02:08
0

IIRC, if you still want to keep WSUS1 as replica, you cannot use it for your servers the way described.

My bet is that, unless is OK for servers to download from master WSUS, you'll need set-up another WSUS for them located wherever WSUS1 is or on another suitable place.

motobói
  • 1,571
  • 11
  • 17
  • WSUS1 is **not** a replica. It is the master for three replicas that I do not want to hold a copy of server patches. That said, I think we've still come to the same conclusion. It seems that another WSUS server is in order here. – MDMarra Jan 24 '12 at 15:50
-1

The first thing that comes to mind is to build a new server in the required/existing location, choose specific updates to be handled by that server and then indicate where it should get the updates from, which is the main, WSUS1 server. This way you'll limit the updates on the new server to only those that required.

Vick Vega
  • 2,398
  • 16
  • 22
  • I think you missed the crux of my question. If I have those updates approved on WSUS1, then it will replicate that approval to the other three WSUS servers in my domain and download them there (which I don't want it to). My question was about finding a way to avoid this behavior and whether it required an additional server or not. If I could approve those updates on WSUS1 without causing my other WSUS replicas to download them, I wouldn't need an additional server. I don't see the benefit to the approach that you are suggesting. – MDMarra Jan 23 '12 at 19:20
  • @MDMarra - The fact that you approved the updates doesn't mean that it will be downloaded to the other servers. Only the the of updates you choose to have on the WSUS is downloaded from the server up on the chain. The updates that the any WSUS server to download is ONLY those that it has been setup for. Such as patches, updates, e.t.c – Vick Vega Jan 23 '12 at 21:57
  • So, you're saying that I can add a classification for download to a server and replicas of that server will not download those patches? – MDMarra Jan 23 '12 at 23:26
  • @MDMarra - That's right. Just choose requested classifications, the rest will not be downloaded. That's the whole point of such a config. Only specific type of updates are downloaded based on the selection. – Vick Vega Jan 24 '12 at 00:58
  • And how exactly do you configure this on the replicas? All of that is greyed out, because it is a replica. http://i.imgur.com/UXKNX.png – MDMarra Jan 24 '12 at 01:07
  • Here's a bypass http://technet.microsoft.com/en-us/library/cc720512(WS.10).aspx, in addition, if you can create an update view, you probably will be able to select updates that you don't need. For the second option, the lower WSUS in a chain, will be required to download all the updates from the upper server. You should be able to decline updates that you don't need. – Vick Vega Jan 24 '12 at 02:43
  • You really don't understand what I'm trying to do here. Suffice to say, your suggestions aren't applicable. – MDMarra Jan 24 '12 at 02:52
-1

Actually, the answer is quite simple! In the GPO for the 3 subsites, use the setting Use client side targeting and give it a name (lets say "Clients"). Now create a folder under All Computers in WSUS console with the same name as in the GPO (In our case, it is "Clients"). Also, in the replicas, go to options and then to computers and set Use group policy or registry settings on computers. Now all the computers from the downstream networks will start appearing in the "Clients" folder on the upstream WSUS. Now while approving server updates, unmark the Clients folder and thus, the server updates will not get approved/downloaded for the replica sites.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
Sam_India
  • 1