Windows Updates For Multiple Domains & VMs?

Asif Dasl

Hello all,

I'll be setting up my lab again and I want to set it up so all of the VMs get their Windows Updates from a single WSUS server which is not joined to any one domain. How do I go about it?

Do I set up a promiscuous VLAN and set up the VMs in a community VLAN or what's the best way to do it? I could download all the updates from the Microsoft server directly but I would like it to use WSUS if possible.

Promiscuous VLANs are usually used for routers right? so if I used them for WSUS would it also have to be a router for all my VMs to get out on to the Internet? Hope this makes sense!

Thanks all!

tprice5

Are you sold on WSUS being the sole delivery agent for your updates? You could stand up SCCM 2012 and package up your updates that way. I am positive there are not restrictions the prevent you from deploying across domains via SCCM.
I am pretty sure WSUS is not limited in this fashion either. Just stand up your WSUS server and deploy a GPO that instructs your clients where to look for updates. It uses Windows Update but instead of pointing to Microsoft, it points to your WSUS server. Here's the link.
It is all pretty straight forward once you get in there and start messing around. You will need to connect WSUS to a database so make sure you have a SQL box stood up, which you should already have anyways.

Let me know if you need any help. I literally just stood one of these up at my house. Pretty sure it's still trying to pull in 30GBs+ of updates.

Asif Dasl

Thanks for the link... I have licenses for SCCM 2012 from my TechNet subscription but when that ends in November I hope I don't have to rebuild my entire lab which was why I was going to use WSUS.

I believe WSUS should work across multiple domains but my main issue is how to get different Windows domains on their own VLANs to see a promiscuous VLAN and also get out on to the Internet. Networking is a weak point with me so I am going to read Chris Wahl's book on vSphere networking when I get the chance.

I am doing a overhaul of my lab hardware so won't get my hands dirty with this for another week or so.

I looked at this YouTube video and wondered if I could set this up... we'll have go anyway!

Online Training Configure Private VLANS - YouTube

tprice5

My mistake. I thought you were proposing the promiscuous vlan option as a way of skirting the cross domain issue. You and I are in the same boat with networking!

Essendon

This link should make things clearer > VMware KB: Private VLAN (PVLAN) on vNetwork Distributed Switch - Concept Overview

Basically, you can put your WSUS machine on the promiscuous secondary VLAN and the other VM's (that need the updates) on the isolated secondary VLAN. So the WSUS machine will be able to speak with all the machine in the isolated secondary VLAN. You gotta make sure the switch you use is aware of the Prvate VLAN. Can explain more later if you want, need to duck out for a meeting shortly..

Asif Dasl

Thanks for the link Essendon, it makes it much easier to visualise the process. However my HP V1910 doesn't look like it can handle PVLANs so maybe I will have to use a WSUS in each domain within it's own VLAN. I will have to research this a bit more, there was probably a reason why Eric Sloof was using a Cisco 2960G as I think it supports PVLANs out of the box.

jibbajabba

Just add multiple vNics to the WSUS server mapped to the multiple VLANs / Subnets, or create a TRUNK portgroup and create virtual interfaces in your WSUS server connecting to all needed VLANs / Subnets.

As for Cisco - have a look at the SG300 series, might be cheaper (and they are beauties).

Asif Dasl

Yes the NICs in each VLAN would do it, why didn't I think of that! Don't answer that!